Skip to content Skip to navigation menu

Data Security at SiteOne

At SiteOne, we leverage a combination of security standards and frameworks to manage and measure our cybersecurity program. As the threat actors evolve their techniques and attack vectors change, we continually update our programs for confidentiality, data integrity and availability. We have invested – and will continue to invest in – protecting, monitoring, alerting and mitigating information security risks across the enterprise.

In the event of a security issue, we have an incident response plan used to quickly triage, contain and understand the issue, as well as how to protect against it going forward. Managing our daily security program is a team of information security engineers led by our Chief Information Security Officer.

Additionally, our Privacy and Security Statement provides information regarding how we collect, use and share information we collect from our customers. We explain the ways we use the information we collect, and how customers can find out more about the personal information we collect about them on the Exercise My Privacy Rights page of our website.

Governance, Risk & Compliance

Our information security and privacy policies are in place and regularly updated based on business, compliance and any other needs.

External and internal resources perform audits and penetration testing throughout the year on SiteOne applications, networks and environments. An external qualified security assessor performs an annual review to review our compliance with the Payment Card Industries Data Security Standards.

Data Protection

We maintain both data classification and retention policies to reduce the exposure of unauthorized access of data and comply with regulatory requirements. We strive to minimize the customer data collected to limit the potential data exposure risks.

Data is continually scanned to identify sensitive data to determine whether it is properly protected and classified. SiteOne utilizes third parties specializing in vulnerability assessments and penetration testing to review our networks, systems and applications for patching and proper configuration. We also perform at least two disaster recovery test exercises annually to validate and optimize our ability to recover technology at a secondary data center site in the event of a major incident or disaster event.

Vendor Security

We partner with our vendors to minimize the customer data needed to provide services and ensure compliance with regulations. Vendors are reviewed annually to identify any changes to services, data requirements and associated security and protections. Where applicable, vendors are contractually bound to protect customer data and support enforcement of all regulatory requirements.

Data Security & Privacy Awareness

We provide new hire and annual security awareness and privacy training to all associates as well as other targeted security training for key departments dealing with sensitive data types. SiteOne performs quarterly phishing assessment exercises to ensure associates are aware and educated about phishing threats and trained to identify and avoid them.