Storemate logo Start for free
Information Security

ISO 27001

Information Security Commitment Statement

"Your business data is treated like it is our own."
Certification Status
In Progress
Active pursuit — 2026
ISO
27001
Our Security Commitment

We treat every seller's data as if it were our own business on the line.

ISO 27001 is not a marketing credential for Storemate. It is a structured commitment to doing security properly — with independent verification that we are. This document explains exactly what that means.

01

What ISO 27001 Is

ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it defines a systematic approach to managing sensitive information so that it remains secure.

Certification to ISO 27001 means an independent, accredited body has audited an organisation's information security practices and verified they meet the standard's requirements. It is the most widely recognised information security certification in the world — trusted by enterprises, governments, and regulators across every industry.

C
Confidentiality
Information is accessible only to those authorised to access it.
I
Integrity
Information is accurate and complete — protected from unauthorised modification.
A
Availability
Authorised users have reliable access to information when they need it.
02

Why We Are Pursuing ISO 27001

Our sellers trust us with some of the most sensitive data their businesses hold — customer names, delivery addresses, order histories, transaction records, and business performance data. That trust is not given lightly. We do not take it lightly.

1
Because our sellers deserve it
Every Sri Lankan entrepreneur using Storemate has built something real. Their customer data, their order history, their business trends — these deserve bank-level protection. ISO 27001 is the structured way to deliver that.
2
Because we are built from operational experience
We spent five years processing 25 million orders through Curfox alongside Sri Lankan sellers. We have seen firsthand what is at stake when business data is not protected. ISO 27001 formalises the standards we were already building toward.
3
Because it cannot be self-declared
Anyone can say they take security seriously. ISO 27001 requires an independent accredited auditor to verify it. We want our commitment to be verifiable — not just stated.
4
Because the market requires it
As Storemate expands regionally, enterprise customers and government-adjacent organisations require ISO 27001 certification as a baseline for data handling. This investment is both a commitment to our sellers and a strategic necessity.
03

Our Current Security Posture

While we work toward formal ISO 27001 certification, the following security measures are already in place and operational. This is not a future promise — it is current practice.

1
HTTPS everywhere
All data transmitted between users and Storemate is encrypted using TLS. There is no unencrypted data transmission on our platform.
2
Encrypted data storage
Data at rest is encrypted. Your orders, customer details, and business records are not stored in plain text under any circumstances.
3
Role-based access control
Our team members can only access the data and systems necessary for their specific role. No one person has access to everything.
4
Multi-factor authentication
Internal systems require MFA. We enforce this for all team members with access to production systems.
5
Security patch management
We maintain a regular schedule for applying security patches and updates to all systems. Known vulnerabilities are addressed promptly.
6
Secure backup systems
Data is backed up regularly with encrypted backups stored separately from primary systems. Backup integrity is verified periodically.
7
Incident response procedures
We have documented procedures for identifying, containing, and communicating security incidents, including seller notification requirements.
8
Vendor security assessment
Third-party services and integrations are assessed for security standards before integration. Courier APIs and payment processors are evaluated regularly.
9
Access review
We conduct periodic reviews of who has access to what within our systems. Access is revoked immediately when team members change roles or leave.
10
Security awareness training
All team members receive security awareness training. Phishing simulation and secure coding practices are part of our ongoing programme.
04

The 14 ISO 27001 Control Domains

ISO 27001:2013 defines 114 security controls across 14 domains. ISO 27001:2022 (the current version) reorganises these into 93 controls across 4 themes. The following outlines our approach to each domain area.

A.5
Information security policies
Documented security policy approved by management. Reviewed annually.
Written ISMS policyManagement sign-offAnnual review
A.6
Organisation of information security
Defined security roles and responsibilities across the team.
Roles assignedRemote work policiesSeparation of duties
A.7
Human resource security
Security screening, training, and offboarding procedures.
Background checksSecurity trainingAccess revocation on exit
A.8
Asset management
Inventory of information assets with assigned ownership and classification.
Asset registerData classificationAcceptable use policy
A.9
Access control
Role-based access to systems and data. Least privilege principle applied.
MFA enforcedLeast privilegeQuarterly access review
A.10
Cryptography
Encryption standards for data in transit and at rest.
TLS everywhereEncrypted backupsKey management policy
A.11
Physical & environmental security
Physical access controls for office and infrastructure environments.
Office access controlClean desk policyEquipment disposal
A.12
Operations security
Documented procedures for secure IT operations and change management.
Change managementVulnerability scanningLogging & monitoring
A.13
Communications security
Controls on network security and information transfer between systems.
Network segregationSecure transfer agreementsMonitoring
A.14
System acquisition & development
Security requirements built into the development lifecycle.
Secure SDLCCode reviewTest environment separation
A.15
Supplier relationships
Security requirements applied to third-party suppliers and couriers.
Supplier contractsSecurity assessmentService monitoring
A.16
Incident management
Documented procedures for managing and communicating security incidents.
Incident response planSeller notificationPost-incident review
A.17
Business continuity
Plans for maintaining operations and data availability during disruptions.
BCP documentedRecovery testingBackup verification
A.18
Compliance
Ensuring adherence to legal, regulatory, and contractual requirements.
Legal reviewSri Lankan law complianceAudit schedule
Current Compliance Status

We have assessed our current position against all 14 control domains. The majority of technical controls are already implemented. Active work is underway on formal documentation, risk assessment, and independent audit preparation.

05

Our Specific Security Commitments to Sellers

These are not aspirational statements. They are the specific commitments Parallax Technologies makes to every seller using Storemate — today, before certification, and after.

1
Your data will never be sold
Under any circumstances. To anyone. Ever. Your business data, your customer data, and your order history are yours. We handle them to provide the service. No other commercial use. No exceptions.
2
Your data will never be used for advertising
We do not use your data to build advertising profiles, target you or your customers with ads, or share data with advertising networks of any kind.
3
Data errors will be corrected manually if needed
If there is ever an error in your account data, we correct it — manually if required. "The system cannot do that" is not an answer we give. We own the problem and fix it.
4
Security incidents will be disclosed promptly
If a security incident occurs that affects your data, we will notify you as quickly as possible — within 72 hours where feasible — with a clear explanation of what happened and what we are doing about it.
5
Access will be controlled and audited
Only the team members who need access to your data for their specific role will have it. Access is reviewed and audited. Former team members have access revoked immediately upon departure.
6
Security improvements will be ongoing
ISO 27001 certification is not a one-time achievement. It requires annual surveillance audits and continuous improvement. We commit to maintaining the standard — not just achieving it once.
7
You can ask us anything about your data security
If you have a question about how your data is protected, email us at hello@storemate.lk. You will receive a direct, honest answer — not a reference to this document.
06

Certification Roadmap

ISO 27001 certification is a structured process that cannot be rushed without compromising its integrity. We are pursuing it systematically — building the foundations properly rather than racing for a badge.

Phase 1
Foundation
Complete
Gap analysis against ISO 27001:2022 requirements. Identification of all information assets. Assignment of asset ownership. Initial risk assessment framework established.
Gap analysis completedAsset register createdOwnership assigned
Phase 2
Documentation
In Progress
Formal ISMS documentation including policies, procedures, and standards. Risk treatment plan. Statement of Applicability (SoA). Business continuity and incident response documentation.
ISMS policy writtenSoA in developmentRisk register active
Phase 3
Implementation
Active
Rolling out formal controls across all domains. Security awareness training programme. Internal audit programme established. Management review process implemented.
Controls being implementedTraining programme activeInternal audits running
Phase 4
Pre-audit
Scheduled
Internal audit against all control domains. Management review. Remediation of identified gaps. Engagement of accredited certification body. Stage 1 documentation review.
Internal audit scheduledCertifier selectedStage 1 review pending
Phase 5
Certification
Target
Stage 2 audit by accredited certification body. Full on-site assessment of ISMS implementation. Award of ISO 27001:2022 certification. Surveillance audits annually to maintain certification.
Stage 2 auditCertification awardedAnnual surveillance programme
07

What This Means for You as a Seller

ISO 27001 certification is not about Storemate. It is about the protection of your business — your orders, your customers, your revenue data.

  • Your customer data is protected to an international standard. The names, addresses, and contact details of every buyer who orders from you through Storemate are handled under the controls of an internationally recognised information security management system.
  • You can show your buyers you take data seriously. When Storemate holds ISO 27001 certification, you can truthfully tell your buyers that your order management platform is certified to the international information security standard. That trust transfers to your business.
  • Enterprise and institutional buyers will trust you more. If your business sells to corporate buyers, government-adjacent organisations, or international customers, ISO 27001 certification on your order management platform removes a common barrier to doing business with you.
  • Your data is recoverable. The business continuity and backup requirements of ISO 27001 mean your order data is backed up, tested, and recoverable. If something goes wrong, your business records are not permanently lost.
08

Contact and Questions

Questions about our information security practices? Want to understand a specific control or commitment? Contact us directly. We will give you a straight answer — not a reference to legal documentation.

Information Security Contact — Parallax Technologies (Pvt) Ltd
General security questions
hello@storemate.lk
Subject: Security Question — [your name]
Data incident reporting
hello@storemate.lk
Subject: Security Incident — [your name]
ISO 27001 status enquiries
hello@storemate.lk
Subject: ISO 27001 — [your name]
Data access requests
hello@storemate.lk
Subject: Data Request — [your name]
Postal address
Kottawa, Pannipitiya, Sri Lanka
Parallax Technologies (Pvt) Ltd

Common questions about our ISO 27001 pursuit

"Are you ISO 27001 certified right now?"
No — not yet. We are actively pursuing certification. The controls and commitments in this document reflect our current security posture, which is substantial. Certification requires independent audit verification, which is scheduled.
"When will you be certified?"
We do not publish a specific certification date because the timeline depends on the audit schedule of our chosen certification body. We are committed to completing the process — and will announce certification publicly when achieved.
"Why does it take so long?"
ISO 27001 certification requires implementing, documenting, and operating controls for a period before an auditor can verify them. Rushing the process produces weak certification. We are doing it properly.
"Can I trust Storemate with my data before certification?"
Yes. The technical controls protecting your data — encryption, access control, secure backups, incident response — are operational now. Certification is the independent verification of what is already in place.
"Will you tell me when you achieve certification?"
Yes. We will announce ISO 27001 certification on our website and notify all active sellers by email when the certificate is awarded.
The Storemate Security Commitment

"Your business data is treated like it is our own."

ISO 27001 is the formal structure around a commitment we were already keeping. Certification makes it independently verifiable. The commitment itself is unconditional.

Namal Attanayake · CEO & Founder · Parallax Technologies (Pvt) Ltd · Version 1.0 · June 2026