Back to SelfLabs Managed Discounts
SelfLabs Managed Discounts
Security Policy
Last updated: 2025-11-29
SelfLabs Managed Discounts App Last Updated: November 29, 2025
Reporting Security Vulnerabilities
If you discover a security vulnerability, please report it responsibly:
Email: security@selflabs.com
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes
Response Time: We aim to acknowledge reports within 48 hours.
Do NOT:
- Publicly disclose before we've addressed the issue
- Access or modify data belonging to others
- Perform destructive testing
Security Measures
Authentication & Authorization
| Measure | Implementation |
|---|---|
| Shopify OAuth | All requests authenticated via Shopify |
| Session Management | Handled by Shopify App Bridge |
| Multi-Tenant Isolation | Data filtered by shop on every query |
| Webhook Verification | HMAC signature validation |
Data Protection
| Measure | Implementation |
|---|---|
| Encryption in Transit | HTTPS enforced (TLS 1.2+) |
| Encryption at Rest | Database on encrypted volumes |
| Usage Logging | Discount usage recorded with full audit trail |
| Access Logging | Personal data views recorded in access logs |
| Minimal Data Collection | Only email for usage tracking |
Data Loss Prevention
| Measure | Implementation |
|---|---|
| Database Backups | PostgreSQL automatic snapshots |
| Backup Retention | Daily snapshots, provider-dependent retention |
| Recovery Objective | 30-minute RTO target |
| Backup Encryption | Encrypted at rest by database provider |
| Regular Testing | Periodic backup restore verification |
Access Controls
| Control | Requirement |
|---|---|
| Partner Dashboard | 2FA required |
| Hosting Provider | 2FA required, strong passwords |
| Production Database | No direct access, only through app |
| Staff Access | Limited to authorized personnel |
Password Requirements
For all systems with access to production data:
- Minimum 12 characters
- Mix of uppercase, lowercase, numbers, symbols
- No password reuse
- Change every 90 days
- 2FA enabled where available
Incident Response Plan
Severity Levels
| Level | Description | Response Time |
|---|---|---|
| Critical | Active data breach, system compromise | Immediate (< 1 hour) |
| High | Vulnerability with imminent risk | < 4 hours |
| Medium | Security issue without active exploitation | < 24 hours |
| Low | Minor issue, best practice violation | < 1 week |
Response Procedures
1. Detection & Identification
- Monitor for unusual activity
- Review logs for anomalies
- Assess scope and severity
2. Containment
- Critical/High: Take affected systems offline if necessary
- Revoke compromised credentials immediately
- Block suspicious IP addresses
- Preserve evidence for investigation
3. Investigation
- Determine root cause
- Identify affected data and users
- Document timeline of events
- Assess total impact
4. Notification
Internal Notification (immediate):
- All team members with access to affected systems
Shopify Notification (within 24 hours for data breaches):
- Contact: apps@shopify.com
- Include: Nature of incident, data affected, remediation steps
Merchant Notification (within 72 hours for data breaches):
- Method: Email to affected merchants
- Include: What happened, what data was affected, what we're doing, what they should do
Regulatory Notification (as required):
- GDPR: Within 72 hours to supervisory authority
- CCPA: As required by law
5. Remediation
- Patch vulnerabilities
- Reset credentials if compromised
- Update security measures
- Implement additional controls as needed
6. Recovery
- Restore systems to normal operation
- Verify fix effectiveness
- Monitor for recurrence
7. Post-Incident Review
- Conduct post-mortem within 1 week
- Document lessons learned
- Update procedures as needed
- Share findings with relevant parties
Contact List
| Role | Contact | Responsibility |
|---|---|---|
| Security Lead | security@selflabs.com | Incident coordination |
| Technical Lead | tech@selflabs.com | Technical remediation |
| Legal | legal@selflabs.com | Regulatory compliance |
Data Breach Response Checklist
- Identify scope of breach
- Contain the breach (revoke access, isolate systems)
- Preserve evidence (logs, screenshots)
- Notify internal team
- Assess regulatory notification requirements
- Notify Shopify (apps@shopify.com)
- Notify affected merchants
- Notify affected individuals (if required)
- Document incident timeline
- Implement remediation measures
- Conduct post-incident review
- Update security procedures
Security Updates
Regular Activities
| Activity | Frequency |
|---|---|
| Dependency updates | Weekly |
| Security patches | As released |
| Access review | Monthly |
| Security audit | Annually |
| Penetration testing | Annually |
Vulnerability Management
- Monitor for CVEs in dependencies
- Use
npm auditto check for known vulnerabilities - Update dependencies promptly when patches are available
- Test updates before deploying to production
Compliance
This security policy supports compliance with:
- Shopify Partner Requirements
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- SOC 2 principles (informally)
Policy Updates
This policy is reviewed and updated:
- Annually at minimum
- After any security incident
- When significant changes are made to the app
Questions? Contact security@selflabs.com