This page describes our current approach, not a guarantee that any system is immune from every threat. We will update it as E-commerce Index grows.
1. Our approach
We design E-commerce Index around data minimization, clear system boundaries and evidence that can be audited. Public crawling, ranking calculations and any future owner-authorized data connections are treated as separate trust levels.
2. Current controls
- Traffic is served over encrypted HTTPS through Cloudflare’s network.
- Application workloads and background crawl jobs are isolated through managed edge services and queues.
- Access to operational systems is limited by role and business need.
- Secrets and credentials are kept out of public source code and client-side pages.
- We use logging and monitoring to investigate errors, abuse and suspicious activity.
- Dependencies and configurations are reviewed as the service changes.
- Backups or durable copies are used where appropriate for service recovery.
We do not claim a certification or audit that has not been completed.
3. Responsible website observation
Our crawler is intended to measure public technical signals while minimizing impact. We limit requests, avoid authentication barriers and do not attempt to access customer accounts, checkout data or other non-public systems. Store owners can request review of a factual error or concern.
Future verified analytics features will require deliberate authorization, narrow permissions and a visible explanation of how data affects a score before connection.
4. Report a vulnerability
If you believe you found a security issue, email hello@ecindex.org with the subject “Security report”. Include the affected page or endpoint, steps to reproduce, likely impact and a safe proof of concept where possible.
Please avoid accessing or changing other people’s data, disrupting the service, social engineering, denial-of-service testing, or publishing details before we have had a reasonable opportunity to investigate.
5. What to expect
We aim to acknowledge a credible report promptly, assess severity, contain risk and communicate material updates. Timelines vary with complexity. Good-faith research consistent with the guidance above will be treated respectfully.
If an incident materially affects personal information, we will investigate, remediate and provide notices where required by applicable law.