At Judge.me, we care about being authentic, accessible, and secure. We are committed to protecting the rights of store owners and reviewers by complying with the following laws and regulations:
Data Security and Privacy
We are among the top 50 privacy dedicated companies, according to Mine's Privacy Index, thanks to our efforts to:
- Comply with the AICPA Service Organization Control (SOC) 2 Type 1 standard for data security.
- Comply with the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Protect the Data Subject Rights of reviewers as specified in Articles 15-22 of GDPR.
- Process data on Heroku and Amazon Web Services (AWS), the data infrastructure that is assessed recurrently to ensure compliance with industry standards.
- Sign a Data Processing Addendum to protect the privacy of any data transfers either within or outside of the European Union (EU) via Standard Contractual Clauses (SCCs).
- Apply SCCs with all third-party sub-processors.
- Partner with HackerOne and utilise their Bug Bounty Program to ensure data safety.
Comply with Consumer Review Fairness Act (CRFA) enforced by the Federal Trade Commission (FTC), which protects consumers' ability to share opinions about products and services provided by stores using Judge.me.
Work with premium suppliers such as Amazon Web Services, Heroku, Postmark, Imgix, Cloudflare, OOPSpam, Google Cloud DLP, and so on, to optimize the performance of our apps and platforms.
Judge.me is a Shopify Plus Certified App Partner.
Data Security & Privacy
Is our security policy compliant with any standard?
Yes, we are compliant with the AICPA Service Organization Control (SOC) 2 Type 1. SOC 2 Type 1 is the report on controls relevant to security,availability, processing integrity, confidentiality, and privacy at a specific point in time. Prescient Assurance, a leader in security and compliance certifications for B2B and SAAS companies worldwide, conducted the audit and confirmed we met this standard.
Where does personal data go?
Amazon conducts recurring assessments to ensure compliance with industry standards. In particular, their data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2 / SSAE 16 / ISAE 3402 (previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
Store owners can sign a Data Processing Addendum with us to ensure that when any data transfer takes place inside or outside of the European Union, their interests are protected by the Standard Contractual Clauses (SCCs). Judge.me also applies SCCs with our third-party sub-processors. The use of SCCs outside of the EU has been validated by the Court of Justice of the European Union.
Who do we share personal data with?
We currently authorize some third-party sub-processors to process the data depending on which functions the stores enable in their Judge.me settings.
We assess our vendors and related third parties carefully, ensuring they satisfy the security and privacy requirements, and where applicable, sign non-disclosure agreements before engaging in any activities.
Is personal data kept safe?
We partner with HackerOne - the world's largest community of security hackers and utilize their Bug Bounty Program to reduce our risk of security vulnerabilities.
HackerOne has partnered with thousands of organizations and their services are used by big brands such as Shopify, WordPress, Slack, Twitter, Github, and Nintendo.
Yes, we are compliant with the most popular standards that protect the privacy rights of store owners and reviewers, including:
General Data Protection Regulation (GDPR): the privacy and security law drafted and passed by the European Union (EU).
California Consumer Privacy Act (CCPA): the legislation that strengthens privacy rights and consumer protection for residents of California.
What do we do to protect privacy rights?
- Send all the reviewer data that stores have collected and processed upon request of reviewers (right to access and right to be informed).
- Provide tools for reviewers to edit their display name, display name format, and reviews. Let stores make minor edits of review content, with the consent of reviewers (right to rectification/edit).
- Provide tools for reviewers to delete their reviews, and delete all reviewer data that stores have collected and processed upon request of reviewers (right to be forgotten).
- Provide all personal data in a structured and machine-readable format (right to data portability).
What personal data do we collect?
Accessibility for everyone
We strive to make our applications accessible to everyone, including those with disabilities. When building the apps, our developers ensure that essential features are compliant with Level AA of Web Content Accessibility Guidelines (WCAG 2.1 AA) and The Americans with Disabilities Act. In particular, we have:
- Added labels to the elements of our widgets so screen readers can describe these elements in a meaningful way.
- Made all clickable links/buttons keyboard accessible.
- Made focus appropriately changed after a click.
- Set good color contrast for all default themes.
Authenticity of reviews
To maintain the authenticity and transparency of our apps and platforms, we follow the Consumer Review Fairness Act (CRFA) enforced by the Federal Trade Commission (FTC). This protects consumers' ability to share honest opinions about products and services provided by stores using Judge.me. We encourage our users to publish all of their reviews, even the unfavorable ones.
We also reward stores with different types of medals: transparency, authenticity, top shops, top trending shops, verified reviews, and monthly records.
We handle user-generated content with fast, secure and reliable suppliers to optimize the performance of our apps and platforms.
Postmark: transactional email service to send review request emails on behalf of store owners.
Imgix: image hosting service to store and display customer review images.
Cloudflare: video hosting service to store and display customer review videos.
OOPSpam: spam detection tool to detect and filter spam reviews.
Google Cloud DLP: fully managed service to detect reviews containing Personal Identifiable Information (PII).
Shopify Plus Certification
Judge.me is a Shopify Plus Certified App Partner. This certification solidifies not only our commitment to privacy but our premium product quality, service, performance, and support that meet the advanced requirements of Shopify Plus merchants.