Effective Date: 03/06/2026
Version: 1.0
Owner: Embodied Love University
Compliance Contact: team@embodiedloveuniversity.com
This Information Security Policy establishes the administrative, technical, and operational safeguards used by Embodied Love University to protect company information, customer information, payment-related data, and the integrity of its online systems.
This policy is intended to support secure e-commerce operations and to reduce the risk of unauthorized access, misuse, disclosure, alteration, or destruction of sensitive information.
This policy applies to Embodied Love University and its online operations, including its websites and digital platforms used to deliver content, services, and e-commerce functionality.
This policy applies to:
employees
contractors
administrators
service providers with access to relevant systems
all systems, devices, accounts, and processes used to support these websites and related business operations
This policy covers e-commerce operations only. Embodied Love University accepts payments through an online e-commerce portal and does not use standalone card terminals, point-of-sale devices, or P2PE in-person payment devices.
Embodied Love University is committed to maintaining the confidentiality, integrity, and availability of its information assets and to protecting customer information handled in connection with its online services.
All personnel with access to company systems or sensitive information are expected to:
handle information according to its sensitivity
prevent unauthorized disclosure of customer and company data
use secure passwords and protect account credentials
report suspected incidents without delay
follow approved processes for access, software, devices, and system changes
complete security awareness training as required
Embodied Love University accepts payments only through its secure e-commerce payment portal.
PayPal is the current and only payment portal used by Embodied Love University for online payment processing.
Embodied Love University does not intentionally store full card numbers, card security codes, or sensitive authentication data on its own internal systems unless explicitly required by a validated and compliant payment workflow.
Where payment processing is performed by PayPal, PayPal is responsible for protecting payment data within its controlled environment in accordance with its applicable security and compliance obligations.
Any e-commerce configuration that redirects users to a hosted payment page or uses a hosted payment form must be securely configured and maintained.
Management is responsible for:
approving this policy
supporting implementation and enforcement
ensuring security responsibilities are assigned
reviewing material security risks and incidents
Authorized technical personnel are responsible for:
maintaining secure website and server configurations
applying patches and updates
restricting administrative access
monitoring for suspicious activity
maintaining backups and recovery procedures
All personnel are responsible for:
using systems appropriately
protecting credentials
following least-privilege access rules
reporting suspected incidents or policy violations immediately to team@embodiedloveuniversity.com
All users of Embodied Love University systems must use company resources responsibly and only for authorized business purposes.
Users must not:
share passwords or accounts
install unauthorized software, tools, or integrations
bypass security controls
access data beyond their job requirements
use company systems for illegal, abusive, offensive, or harmful activity
expose sensitive business or customer information without authorization
Users must:
use strong, unique passwords
lock devices when unattended
protect laptops, workstations, and administrative sessions from unauthorized access
avoid storing sensitive information in unapproved locations
seek approval before introducing new tools, plugins, hardware, software, or third-party connections
Access to systems and data must be limited to authorized individuals whose job responsibilities require it.
Embodied Love University follows these access control principles:
unique user accounts are required
shared accounts are prohibited unless formally approved and controlled
access is granted based on least privilege and need-to-know
privileged access is restricted to approved personnel only
access requests, changes, and removals must be authorized
access is reviewed periodically
accounts must be disabled promptly when access is no longer needed
Administrative access to website hosting, payment-related systems, DNS, domains, CMS platforms, plugins, analytics, and third-party services must be limited to authorized personnel only.
All systems that support Embodied Love University’s websites, administration, or customer operations must use strong authentication controls.
Requirements include:
strong, unique passwords for each account
no password sharing
password managers should be used where practical
multi-factor authentication must be enabled for administrative access whenever supported
default passwords must be changed before a system or service is placed into use
administrative credentials must be restricted to authorized personnel only
Embodied Love University will maintain secure configurations for systems that support its e-commerce operations.
Security measures include, where applicable:
maintaining a current record of the website/payment environment and key service connections
restricting unnecessary services, ports, plugins, and administrative functions
patching systems, software, themes, plugins, and applications in a timely manner
using firewalls, security controls, or managed protections appropriate to the hosting environment
protecting websites against common vulnerabilities
logging and reviewing suspicious or high-risk events where feasible
scanning for vulnerabilities where applicable
maintaining secure DNS, domain, hosting, and administrator practices
For any servers, platforms, applications, or web services that support the company’s e-commerce operations, Embodied Love University will:
define secure baseline settings
disable or remove unnecessary services and accounts
change or disable vendor defaults
restrict administrative access
use multi-factor authentication for admin access where available
monitor for unauthorized changes
update operating systems, applications, plugins, and supporting tools
respond to newly identified vulnerabilities in a timely manner
Embodied Love University will protect company, customer, and payment-related information against unauthorized access and disclosure.
Sensitive information must be:
accessed only by authorized personnel
transmitted only through approved and secure methods
stored only where necessary and in approved systems
retained only as long as required for business, legal, or operational needs
deleted or securely removed when no longer required
Embodied Love University personnel must avoid storing payment data in local files, email inboxes, spreadsheets, notes, screenshots, or unapproved systems.
Embodied Love University may rely on third-party providers for hosting, website infrastructure, email, analytics, security, or other operational services.
For payment processing:
PayPal is the current only payment portal and payment processing provider
Where third parties support the e-commerce environment:
they must be appropriately reviewed before use
access granted to them must be limited to what is necessary
security responsibilities must be understood and documented
providers involved in payment functions should be able to demonstrate appropriate security and compliance status where relevant
All relevant personnel must receive security awareness guidance appropriate to their role.
Training topics may include:
password hygiene
phishing and social engineering awareness
secure handling of customer information
incident reporting
safe use of administrative tools and web platforms
Any actual or suspected information security incident must be reported immediately to:
team@embodiedloveuniversity.com
Examples of reportable incidents include:
suspected website compromise
malware or unauthorized system changes
phishing affecting administrative accounts
unauthorized access to customer or company data
suspected exposure of payment-related information
unusual account activity
service outages caused by malicious activity
Embodied Love University will respond to security incidents by:
identifying and documenting the issue
containing the threat
preserving relevant records and logs
assessing affected systems and data
coordinating remediation
notifying relevant parties if required
reviewing the incident and improving controls afterward
Changes to systems that support the e-commerce environment should be controlled and reviewed.
This includes significant changes to:
website code
plugins
themes
integrations
hosting settings
DNS
user roles
payment configurations
security tools
Changes should be made only by authorized personnel and should be documented where practical.
Embodied Love University will maintain control over company-managed devices and systems used to administer business websites and services.
Devices used for administrative access should:
be protected with passwords or passcodes
be kept updated
use anti-malware or equivalent protections where appropriate
not be shared without authorization
be physically secured against unauthorized access
Compliance with this policy is mandatory for all applicable personnel.
Violations may result in:
removal of access
disciplinary action
contract termination
legal action where appropriate
Failure to follow this policy may expose Embodied Love University, its customers, and its service providers to security, legal, operational, and reputational risks.
This policy will be reviewed at least annually and whenever there is a significant change to:
business operations
websites in scope
payment methods
hosting or infrastructure
service providers
regulatory or compliance requirements
known risks or incidents
