Incident Response Policy

Security Incident Response Policy

Effective Date: February 20, 2026

This policy describes how PSRESTful (“we”, “our”) detects, responds to, and recovers from security incidents affecting the PromoSync Shopify application and any protected customer data it processes.

Scope

This policy covers all systems involved in operating PromoSync:

  • The Django application server hosted on Fly.io
  • Shopify Admin API integrations and webhook endpoints
  • PSRESTful API communications
  • Protected customer data (names, shipping addresses, email addresses, order details)

Severity Classification

SeverityDescriptionResponse TimeExamples
SEV-1 — CriticalActive breach or data exfiltration of protected customer data15 minutesUnauthorized access to customer PII, compromised OAuth tokens, active exploit in production
SEV-2 — HighVulnerability with high likelihood of exploitation or limited data exposure1 hourExposed API key, unpatched critical CVE, failed webhook signature validation
SEV-3 — MediumVulnerability with low likelihood of exploitation, no data exposure confirmed24 hoursMisconfigured permissions, dependency vulnerability with no known exploit
SEV-4 — LowInformational finding, best-practice deviation1 weekMinor configuration improvement, logging gap, documentation update needed

Roles and Responsibilities

RoleResponsibility
Incident CommanderCoordinates the response, makes escalation decisions, owns communication
Technical LeadInvestigates root cause, implements containment and remediation
Communications LeadDrafts merchant notifications, coordinates with Shopify Partner support

For a small team, one person may fill multiple roles. The Incident Commander role must always be explicitly assigned.

Response Phases

Detection

Incidents may be detected through:

  • Access logs — structured logs from PersonalDataAccessLogMiddleware recording all access to protected customer data endpoints
  • Application error monitoring — Django error emails and Fly.io log alerts
  • Shopify notifications — Partner Dashboard alerts or direct communication from Shopify
  • External reports — Responsible disclosure via support@psrestful.com

Triage

Upon detection:

  1. Assign an Incident Commander
  2. Classify severity using the table above
  3. Create an incident record with: timestamp, reporter, initial description, affected systems
  4. Determine if protected customer data is involved

Containment

Immediate actions to limit impact:

  • Revoke compromised credentials — rotate OAuth tokens, API keys, or secrets
  • Isolate affected systems — scale down or suspend the Fly.io application if needed
  • Block malicious traffic — update firewall rules or IP allowlists
  • Disable affected endpoints — temporarily disable compromised webhook or API routes

Investigation

Determine the root cause and full scope:

  • Review access logs (access logger) for unauthorized personal_data_access entries
  • Review application logs (debug.log) for errors or anomalies
  • Check Fly.io deployment logs (flyctl logs) for infrastructure-level events
  • Review Shopify webhook delivery logs in the Partner Dashboard
  • Identify all affected merchants and data types

Recovery

Restore normal operations:

  • Deploy fixes to production via the standard CI/CD pipeline
  • Rotate all potentially compromised credentials
  • Verify containment measures are effective
  • Re-enable any temporarily disabled services
  • Confirm normal operation through monitoring

Notification

⚠️

Shopify requires notification within 72 hours of discovering a breach that affects merchant or customer data.

Notification responsibilities:

  • Shopify — Report via the Partner Dashboard and Shopify Partner support within 72 hours
  • Affected merchants — Email notification describing: what happened, what data was affected, what actions we took, and what merchants should do
  • Regulatory bodies — If required by applicable data protection law (e.g., GDPR), notify the relevant authority within the required timeframe

Post-Incident Review

Within 5 business days of resolution:

  1. Conduct a blameless post-incident review
  2. Document: timeline, root cause, impact, response effectiveness
  3. Identify preventive measures and assign owners
  4. Update this policy if gaps were identified
  5. Archive the incident record

Evidence Collection Checklist

When investigating an incident, collect and preserve the following:

  • Access logspersonal_data_access entries from the access logger
  • Application logsdebug.log entries around the incident timeframe
  • Fly.io logsflyctl logs output for the affected time period
  • Webhook delivery logs — from the Shopify Partner Dashboard
  • Deployment historyflyctl releases to identify recent changes
  • Git history — recent commits and merges around the incident timeframe

Protected Customer Data Inventory

PromoSync accesses the following protected customer data:

Data TypeWhere AccessedPurposeRetention
Customer nameOrder line items via Admin APIPurchase order generationTransient — not persisted
Shipping addressOrder fulfillment data via Admin APIPurchase order shipping detailsTransient — not persisted
Email addressGDPR webhook payloadsData request and redaction complianceProcessed and discarded

Access Logging

All access to endpoints handling protected customer data is logged by PersonalDataAccessLogMiddleware. Each log entry includes:

  • Timestamp
  • Shop domain
  • HTTP method
  • Endpoint path
  • Client IP address
  • Response status code

Logged endpoints include:

  • /api/actions/create-purchase-orders/ (order and shipping data)
  • /customer/data-request, /customer/redact, /shop/redact (GDPR webhooks)

Policy Review

This policy is reviewed and updated:

  • Annually, at minimum
  • After every SEV-1 or SEV-2 incident
  • When significant changes are made to data handling or infrastructure

Contact

To report a security incident or vulnerability:

Privacy Policy