<
>

Compliance

Last updated: November 10, 2022

Introduction

At Judge.me, we care about being authentic, accessible, and secure. We are committed to protecting the rights of store owners and reviewers by complying with the following laws and regulations:

Data Security and Privacy

We are among the top 50 privacy dedicated companies, according to Mine's Privacy Index, thanks to our efforts to:

Accessibility

Comply with Level AA of Web Content Accessibility (WCAG 2.1 AA) and The Americans with Disabilities Act (ADA) by making our applications accessible to everyone, including those with disabilities.

Authenticity

Comply with Consumer Review Fairness Act (CRFA) enforced by the Federal Trade Commission (FTC), which protects consumers' ability to share opinions about products and services provided by stores using Judge.me.

World-class Infrastructure

Work with premium suppliers such as Amazon Web Services, Heroku, Postmark, Imgix, Cloudflare, OOPSpam, Google Cloud DLP, and so on, to optimize the performance of our apps and platforms.

Judge.me is a Shopify Plus Certified App Partner.

Data Security & Privacy

Is our security policy compliant with any standard?

aicpa-ready-icon

Yes, we are compliant with the AICPA Service Organization Control (SOC) 2 Type 2. SOC 2 Type 2 is the report on controls relevant to security over a specific period. Prescient Assurance, a leader in security and compliance certifications for B2B and SAAS companies worldwide, conducted the audit and confirmed we met this standard.

Where does personal data go?

We use Heroku and Amazon Web Services (AWS). Heroku's physical infrastructure is hosted and managed within Amazon's secure data centers and utilises the Amazon Web Service (AWS) technology.

Amazon conducts recurring assessments to ensure compliance with industry standards. In particular, their data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2 / SSAE 16 / ISAE 3402 (previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

Store owners can sign a Data Processing Addendum with us to ensure that when any data transfer takes place inside or outside of the European Union, their interests are protected by the Standard Contractual Clauses (SCCs). Judge.me also applies SCCs with our third-party sub-processors. The use of SCCs outside of the EU has been validated by the Court of Justice of the European Union.

Who do we share personal data with?

We currently authorize some third-party sub-processors to process the data depending on which functions the stores enable in their Judge.me settings.

We assess our vendors and related third parties carefully, ensuring they satisfy the security and privacy requirements, and where applicable, sign non-disclosure agreements before engaging in any activities.

Is personal data kept safe?

We partner with HackerOne - the world's largest community of security hackers and utilize their Bug Bounty Program to reduce our risk of security vulnerabilities.

HackerOne has partnered with thousands of organizations and their services are used by big brands such as Shopify, WordPress, Slack, Twitter, Github, and Nintendo.

Is our privacy policy compliant with any standard?

Yes, we are compliant with the most popular standards that protect the privacy rights of store owners and reviewers, including:

gdpr-ready-icon

General Data Protection Regulation (GDPR): the privacy and security law drafted and passed by the European Union (EU).

ccpa-ready-icon

California Consumer Privacy Act (CCPA): the legislation that strengthens privacy rights and consumer protection for residents of California.

What do we do to protect privacy rights?

We've developed certain features to make sure the privacy rights of store owners and reviewers are protected according to the General Data Protection Regulation (GDPR). In particular, we'll:

  • Send all the reviewer data that stores have collected and processed upon request of reviewers (right to access and right to be informed).
  • Provide tools for reviewers to edit their display name, display name format, and reviews. Let stores make minor edits of review content, with the consent of reviewers (right to rectification/edit).
  • Provide tools for reviewers to delete their reviews, and delete all reviewer data that stores have collected and processed upon request of reviewers (right to be forgotten).
  • Provide all personal data in a structured and machine-readable format (right to data portability).

What personal data do we collect?

According to our Privacy Policy, we only collect personal data that is essential for running our customer review application and supporting our users in providing the best experience to reviewers. We do not use personal data for any other purposes than what has been agreed with our users.

Accessibility for everyone

We strive to make our applications accessible to everyone, including those with disabilities. When building the apps, our developers ensure that essential features are compliant with Level AA of Web Content Accessibility Guidelines (WCAG 2.1 AA) and The Americans with Disabilities Act. In particular, we have:

  • Added labels to the elements of our widgets so screen readers can describe these elements in a meaningful way.
  • Made all clickable links/buttons keyboard accessible.
  • Made focus appropriately changed after a click.
  • Set good color contrast for all default themes.

Authenticity of reviews

To maintain the authenticity and transparency of our apps and platforms, we follow the Consumer Review Fairness Act (CRFA) enforced by the Federal Trade Commission (FTC). This protects consumers' ability to share honest opinions about products and services provided by stores using Judge.me. We encourage our users to publish all of their reviews, even the unfavorable ones.

Medals

We also reward stores with different types of medals: transparency, authenticity, top shops, top trending shops, verified reviews, and monthly records.

Stores can display these medals on their review site listing and online store to showcase their social proof to potential customers.

World-class Infrastructure

We handle user-generated content with fast, secure and reliable suppliers to optimize the performance of our apps and platforms.

Heroku and Amazon Web Services: cloud hosting platform to host user-generated content that we collect on behalf of store owners.

Postmark: transactional email service to send review request emails on behalf of store owners.

Imgix: image hosting service to store and display customer review images.

Cloudflare: video hosting service to store and display customer review videos.

OOPSpam: spam detection tool to detect and filter spam reviews.

Google Cloud DLP: fully managed service to detect reviews containing Personal Identifiable Information (PII).

Shopify Plus Certification

Shopify Plus Certification

Judge.me is a Shopify Plus Certified App Partner. This certification solidifies not only our commitment to privacy but our premium product quality, service, performance, and support that meet the advanced requirements of Shopify Plus merchants.