[{"data":1,"prerenderedAt":904},["ShallowReactive",2],{"legal-\u002Fapps\u002Fmanaged-discounts\u002Fsecurity":3},{"id":4,"title":5,"body":6,"description":895,"extension":896,"lastUpdated":897,"meta":898,"navigation":653,"path":899,"product":900,"seo":901,"stem":902,"__hash__":903},"legal\u002Fapps\u002Fmanaged-discounts\u002Fsecurity.md","Security Policy",{"type":7,"value":8,"toc":870},"minimark",[9,17,22,25,36,39,55,61,67,78,82,87,144,148,200,204,256,260,306,310,313,330,334,338,406,410,415,426,430,447,451,465,469,475,480,486,498,504,512,518,526,530,544,548,559,563,577,581,638,642,725,729,733,786,790,809,813,816,841,845,848,859,862],[10,11,12,16],"p",{},[13,14,15],"strong",{},"SelfLabs Managed Discounts App","\nLast Updated: November 29, 2025",[18,19,21],"h2",{"id":20},"reporting-security-vulnerabilities","Reporting Security Vulnerabilities",[10,23,24],{},"If you discover a security vulnerability, please report it responsibly:",[10,26,27,30,31],{},[13,28,29],{},"Email",": ",[32,33,35],"a",{"href":34},"mailto:security@selflabs.com","security@selflabs.com",[10,37,38],{},"Please include:",[40,41,42,46,49,52],"ul",{},[43,44,45],"li",{},"Description of the vulnerability",[43,47,48],{},"Steps to reproduce",[43,50,51],{},"Potential impact",[43,53,54],{},"Any suggested fixes",[10,56,57,60],{},[13,58,59],{},"Response Time",": We aim to acknowledge reports within 48 hours.",[10,62,63,66],{},[13,64,65],{},"Do NOT",":",[40,68,69,72,75],{},[43,70,71],{},"Publicly disclose before we've addressed the issue",[43,73,74],{},"Access or modify data belonging to others",[43,76,77],{},"Perform destructive testing",[18,79,81],{"id":80},"security-measures","Security Measures",[83,84,86],"h3",{"id":85},"authentication-authorization","Authentication & Authorization",[88,89,90,103],"table",{},[91,92,93],"thead",{},[94,95,96,100],"tr",{},[97,98,99],"th",{},"Measure",[97,101,102],{},"Implementation",[104,105,106,115,123,136],"tbody",{},[94,107,108,112],{},[109,110,111],"td",{},"Shopify OAuth",[109,113,114],{},"All requests authenticated via Shopify",[94,116,117,120],{},[109,118,119],{},"Session Management",[109,121,122],{},"Handled by Shopify App Bridge",[94,124,125,128],{},[109,126,127],{},"Multi-Tenant Isolation",[109,129,130,131,135],{},"Data filtered by ",[132,133,134],"code",{},"shop"," on every query",[94,137,138,141],{},[109,139,140],{},"Webhook Verification",[109,142,143],{},"HMAC signature validation",[83,145,147],{"id":146},"data-protection","Data Protection",[88,149,150,158],{},[91,151,152],{},[94,153,154,156],{},[97,155,99],{},[97,157,102],{},[104,159,160,168,176,184,192],{},[94,161,162,165],{},[109,163,164],{},"Encryption in Transit",[109,166,167],{},"HTTPS enforced (TLS 1.2+)",[94,169,170,173],{},[109,171,172],{},"Encryption at Rest",[109,174,175],{},"Database on encrypted volumes",[94,177,178,181],{},[109,179,180],{},"Usage Logging",[109,182,183],{},"Discount usage recorded with full audit trail",[94,185,186,189],{},[109,187,188],{},"Access Logging",[109,190,191],{},"Personal data views recorded in access logs",[94,193,194,197],{},[109,195,196],{},"Minimal Data Collection",[109,198,199],{},"Only email for usage tracking",[83,201,203],{"id":202},"data-loss-prevention","Data Loss Prevention",[88,205,206,214],{},[91,207,208],{},[94,209,210,212],{},[97,211,99],{},[97,213,102],{},[104,215,216,224,232,240,248],{},[94,217,218,221],{},[109,219,220],{},"Database Backups",[109,222,223],{},"PostgreSQL automatic snapshots",[94,225,226,229],{},[109,227,228],{},"Backup Retention",[109,230,231],{},"Daily snapshots, provider-dependent retention",[94,233,234,237],{},[109,235,236],{},"Recovery Objective",[109,238,239],{},"30-minute RTO target",[94,241,242,245],{},[109,243,244],{},"Backup Encryption",[109,246,247],{},"Encrypted at rest by database provider",[94,249,250,253],{},[109,251,252],{},"Regular Testing",[109,254,255],{},"Periodic backup restore verification",[83,257,259],{"id":258},"access-controls","Access Controls",[88,261,262,272],{},[91,263,264],{},[94,265,266,269],{},[97,267,268],{},"Control",[97,270,271],{},"Requirement",[104,273,274,282,290,298],{},[94,275,276,279],{},[109,277,278],{},"Partner Dashboard",[109,280,281],{},"2FA required",[94,283,284,287],{},[109,285,286],{},"Hosting Provider",[109,288,289],{},"2FA required, strong passwords",[94,291,292,295],{},[109,293,294],{},"Production Database",[109,296,297],{},"No direct access, only through app",[94,299,300,303],{},[109,301,302],{},"Staff Access",[109,304,305],{},"Limited to authorized personnel",[83,307,309],{"id":308},"password-requirements","Password Requirements",[10,311,312],{},"For all systems with access to production data:",[40,314,315,318,321,324,327],{},[43,316,317],{},"Minimum 12 characters",[43,319,320],{},"Mix of uppercase, lowercase, numbers, symbols",[43,322,323],{},"No password reuse",[43,325,326],{},"Change every 90 days",[43,328,329],{},"2FA enabled where available",[18,331,333],{"id":332},"incident-response-plan","Incident Response Plan",[83,335,337],{"id":336},"severity-levels","Severity Levels",[88,339,340,352],{},[91,341,342],{},[94,343,344,347,350],{},[97,345,346],{},"Level",[97,348,349],{},"Description",[97,351,59],{},[104,353,354,367,380,393],{},[94,355,356,361,364],{},[109,357,358],{},[13,359,360],{},"Critical",[109,362,363],{},"Active data breach, system compromise",[109,365,366],{},"Immediate (\u003C 1 hour)",[94,368,369,374,377],{},[109,370,371],{},[13,372,373],{},"High",[109,375,376],{},"Vulnerability with imminent risk",[109,378,379],{},"\u003C 4 hours",[94,381,382,387,390],{},[109,383,384],{},[13,385,386],{},"Medium",[109,388,389],{},"Security issue without active exploitation",[109,391,392],{},"\u003C 24 hours",[94,394,395,400,403],{},[109,396,397],{},[13,398,399],{},"Low",[109,401,402],{},"Minor issue, best practice violation",[109,404,405],{},"\u003C 1 week",[83,407,409],{"id":408},"response-procedures","Response Procedures",[411,412,414],"h4",{"id":413},"_1-detection-identification","1. Detection & Identification",[40,416,417,420,423],{},[43,418,419],{},"Monitor for unusual activity",[43,421,422],{},"Review logs for anomalies",[43,424,425],{},"Assess scope and severity",[411,427,429],{"id":428},"_2-containment","2. Containment",[40,431,432,438,441,444],{},[43,433,434,437],{},[13,435,436],{},"Critical\u002FHigh",": Take affected systems offline if necessary",[43,439,440],{},"Revoke compromised credentials immediately",[43,442,443],{},"Block suspicious IP addresses",[43,445,446],{},"Preserve evidence for investigation",[411,448,450],{"id":449},"_3-investigation","3. Investigation",[40,452,453,456,459,462],{},[43,454,455],{},"Determine root cause",[43,457,458],{},"Identify affected data and users",[43,460,461],{},"Document timeline of events",[43,463,464],{},"Assess total impact",[411,466,468],{"id":467},"_4-notification","4. Notification",[10,470,471,474],{},[13,472,473],{},"Internal Notification"," (immediate):",[40,476,477],{},[43,478,479],{},"All team members with access to affected systems",[10,481,482,485],{},[13,483,484],{},"Shopify Notification"," (within 24 hours for data breaches):",[40,487,488,495],{},[43,489,490,491],{},"Contact: ",[32,492,494],{"href":493},"mailto:apps@shopify.com","apps@shopify.com",[43,496,497],{},"Include: Nature of incident, data affected, remediation steps",[10,499,500,503],{},[13,501,502],{},"Merchant Notification"," (within 72 hours for data breaches):",[40,505,506,509],{},[43,507,508],{},"Method: Email to affected merchants",[43,510,511],{},"Include: What happened, what data was affected, what we're doing, what they should do",[10,513,514,517],{},[13,515,516],{},"Regulatory Notification"," (as required):",[40,519,520,523],{},[43,521,522],{},"GDPR: Within 72 hours to supervisory authority",[43,524,525],{},"CCPA: As required by law",[411,527,529],{"id":528},"_5-remediation","5. Remediation",[40,531,532,535,538,541],{},[43,533,534],{},"Patch vulnerabilities",[43,536,537],{},"Reset credentials if compromised",[43,539,540],{},"Update security measures",[43,542,543],{},"Implement additional controls as needed",[411,545,547],{"id":546},"_6-recovery","6. Recovery",[40,549,550,553,556],{},[43,551,552],{},"Restore systems to normal operation",[43,554,555],{},"Verify fix effectiveness",[43,557,558],{},"Monitor for recurrence",[411,560,562],{"id":561},"_7-post-incident-review","7. Post-Incident Review",[40,564,565,568,571,574],{},[43,566,567],{},"Conduct post-mortem within 1 week",[43,569,570],{},"Document lessons learned",[43,572,573],{},"Update procedures as needed",[43,575,576],{},"Share findings with relevant parties",[83,578,580],{"id":579},"contact-list","Contact List",[88,582,583,596],{},[91,584,585],{},[94,586,587,590,593],{},[97,588,589],{},"Role",[97,591,592],{},"Contact",[97,594,595],{},"Responsibility",[104,597,598,610,624],{},[94,599,600,603,607],{},[109,601,602],{},"Security Lead",[109,604,605],{},[32,606,35],{"href":34},[109,608,609],{},"Incident coordination",[94,611,612,615,621],{},[109,613,614],{},"Technical Lead",[109,616,617],{},[32,618,620],{"href":619},"mailto:tech@selflabs.com","tech@selflabs.com",[109,622,623],{},"Technical remediation",[94,625,626,629,635],{},[109,627,628],{},"Legal",[109,630,631],{},[32,632,634],{"href":633},"mailto:legal@selflabs.com","legal@selflabs.com",[109,636,637],{},"Regulatory compliance",[18,639,641],{"id":640},"data-breach-response-checklist","Data Breach Response Checklist",[40,643,646,656,662,668,674,680,689,695,701,707,713,719],{"className":644},[645],"contains-task-list",[43,647,650,655],{"className":648},[649],"task-list-item",[651,652],"input",{"disabled":653,"type":654},true,"checkbox"," Identify scope of breach",[43,657,659,661],{"className":658},[649],[651,660],{"disabled":653,"type":654}," Contain the breach (revoke access, isolate systems)",[43,663,665,667],{"className":664},[649],[651,666],{"disabled":653,"type":654}," Preserve evidence (logs, screenshots)",[43,669,671,673],{"className":670},[649],[651,672],{"disabled":653,"type":654}," Notify internal team",[43,675,677,679],{"className":676},[649],[651,678],{"disabled":653,"type":654}," Assess regulatory notification requirements",[43,681,683,685,686,688],{"className":682},[649],[651,684],{"disabled":653,"type":654}," Notify Shopify (",[32,687,494],{"href":493},")",[43,690,692,694],{"className":691},[649],[651,693],{"disabled":653,"type":654}," Notify affected merchants",[43,696,698,700],{"className":697},[649],[651,699],{"disabled":653,"type":654}," Notify affected individuals (if required)",[43,702,704,706],{"className":703},[649],[651,705],{"disabled":653,"type":654}," Document incident timeline",[43,708,710,712],{"className":709},[649],[651,711],{"disabled":653,"type":654}," Implement remediation measures",[43,714,716,718],{"className":715},[649],[651,717],{"disabled":653,"type":654}," Conduct post-incident review",[43,720,722,724],{"className":721},[649],[651,723],{"disabled":653,"type":654}," Update security procedures",[18,726,728],{"id":727},"security-updates","Security Updates",[83,730,732],{"id":731},"regular-activities","Regular Activities",[88,734,735,745],{},[91,736,737],{},[94,738,739,742],{},[97,740,741],{},"Activity",[97,743,744],{},"Frequency",[104,746,747,755,763,771,779],{},[94,748,749,752],{},[109,750,751],{},"Dependency updates",[109,753,754],{},"Weekly",[94,756,757,760],{},[109,758,759],{},"Security patches",[109,761,762],{},"As released",[94,764,765,768],{},[109,766,767],{},"Access review",[109,769,770],{},"Monthly",[94,772,773,776],{},[109,774,775],{},"Security audit",[109,777,778],{},"Annually",[94,780,781,784],{},[109,782,783],{},"Penetration testing",[109,785,778],{},[83,787,789],{"id":788},"vulnerability-management","Vulnerability Management",[791,792,793,796,803,806],"ol",{},[43,794,795],{},"Monitor for CVEs in dependencies",[43,797,798,799,802],{},"Use ",[132,800,801],{},"npm audit"," to check for known vulnerabilities",[43,804,805],{},"Update dependencies promptly when patches are available",[43,807,808],{},"Test updates before deploying to production",[18,810,812],{"id":811},"compliance","Compliance",[10,814,815],{},"This security policy supports compliance with:",[40,817,818,823,829,835],{},[43,819,820],{},[13,821,822],{},"Shopify Partner Requirements",[43,824,825,828],{},[13,826,827],{},"GDPR"," (General Data Protection Regulation)",[43,830,831,834],{},[13,832,833],{},"CCPA"," (California Consumer Privacy Act)",[43,836,837,840],{},[13,838,839],{},"SOC 2"," principles (informally)",[18,842,844],{"id":843},"policy-updates","Policy Updates",[10,846,847],{},"This policy is reviewed and updated:",[40,849,850,853,856],{},[43,851,852],{},"Annually at minimum",[43,854,855],{},"After any security incident",[43,857,858],{},"When significant changes are made to the app",[860,861],"hr",{},[10,863,864,867,868],{},[13,865,866],{},"Questions?"," Contact ",[32,869,35],{"href":34},{"title":871,"searchDepth":872,"depth":872,"links":873},"",2,[874,875,883,888,889,893,894],{"id":20,"depth":872,"text":21},{"id":80,"depth":872,"text":81,"children":876},[877,879,880,881,882],{"id":85,"depth":878,"text":86},3,{"id":146,"depth":878,"text":147},{"id":202,"depth":878,"text":203},{"id":258,"depth":878,"text":259},{"id":308,"depth":878,"text":309},{"id":332,"depth":872,"text":333,"children":884},[885,886,887],{"id":336,"depth":878,"text":337},{"id":408,"depth":878,"text":409},{"id":579,"depth":878,"text":580},{"id":640,"depth":872,"text":641},{"id":727,"depth":872,"text":728,"children":890},[891,892],{"id":731,"depth":878,"text":732},{"id":788,"depth":878,"text":789},{"id":811,"depth":872,"text":812},{"id":843,"depth":872,"text":844},"SelfLabs Managed Discounts App\nLast Updated: November 29, 2025","md","2025-11-29",{},"\u002Fapps\u002Fmanaged-discounts\u002Fsecurity","SelfLabs Managed Discounts",{"title":5,"description":895},"apps\u002Fmanaged-discounts\u002Fsecurity","n8W0vseVLVIgoBLA4BXhxuBI0LwXuZsDFw82VHSXyVA",1775237350023]