Effective date: July 6, 2026 Last updated: July 6, 2026 Owner: Digital Project Design LLC ("DPD")
This policy describes how DPD detects, responds to, and reports security incidents affecting the Professional Form Manager application (the "App") for Shopify and the data it processes.
Our role. For a Merchant's Respondent data, DPD acts as a data processor on behalf of the Merchant (the data controller). Where this policy refers to notifying or assisting Merchants, that is our processor obligation under our Data Processing Addendum and GDPR Art. 28/33.
Contents
- 1. Scope
- 2. What counts as an incident
- 3. Roles
- 4. How incidents are detected and reported
- 5. Response process
- 6. Notification
- 7. Evidence & records
- 8. Review
1. Scope
This policy covers the systems and data DPD operates to run the App:
- Application code — the Cloudflare Worker (React Router app) and Shopify theme extension, version-controlled in DPD's private repository.
- Data stores — Cloudflare D1 databases (the control-plane database holding Shopify sessions, the shop→tenant mapping, and entitlements; and the per-tenant databases holding forms, submissions, audit logs, and file metadata) and Cloudflare R2 (Respondent file attachments and PDF templates). All D1 and R2 data is encrypted at rest by Cloudflare.
- Secrets and credentials — the Shopify API key/secret, the Cloudflare API token, the Resend API key, and the Turnstile secret, stored as Worker secrets (never in source).
- Operator accounts — the Cloudflare, Shopify Partner, Resend, and source-control accounts used to deploy and operate the App.
Data-at-risk note. Unlike a data-minimizing tool, the App's purpose is to collect the personal data a Merchant configures its forms to gather — which can include names, contact details, free-text responses, typed-name signatures, and uploaded files. This data is stored encrypted at rest, isolated in a dedicated per-Merchant database, with file attachments in R2 served only via signed, expiring links. The App requests no Shopify Admin scopes and does not access Shopify Protected Customer Data. These controls limit, but do not eliminate, the data at risk in an incident, which is why this policy exists.
2. What counts as an incident
A security incident is any actual or reasonably suspected event that compromises the confidentiality, integrity, or availability of the systems or data above — for example: unauthorized access to a data store, R2 bucket, or operator account; leaked credentials; exploitation of a vulnerability; data exfiltration; unintended exposure of one tenant's data to another; or malware in the build/deploy pipeline.
A personal-data breach is an incident that leads to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to personal data the App processes.
Severity
| Level | Definition | Initial response target |
|---|---|---|
| SEV‑1 — Critical | Confirmed unauthorized access to, or exfiltration of, submission data or file attachments; cross-tenant data exposure; compromise of a production credential or the deploy pipeline. | Begin response immediately, within 4 hours of detection. |
| SEV‑2 — High | Suspected or potential exposure; an actively exploitable vulnerability in production; partial service compromise with no confirmed data access. | Begin response within 24 hours. |
| SEV‑3 — Low | Minor issue with no realistic path to personal-data exposure (e.g., a contained bug, a low-risk dependency advisory). | Triage within 3 business days. |
3. Roles
DPD is a small team; roles may be held by the same person.
- Incident Lead — coordinates the response, makes containment decisions, and owns external notifications. Primary: the DPD principal. Backup: the second DPD operator.
- Reporter — anyone (DPD operator, Shopify, a Merchant, a Respondent, a researcher, or an automated alert) who identifies a possible incident.
4. How incidents are detected and reported
- Monitoring — Cloudflare Workers observability/logs are enabled in production; Cloudflare account audit logs record dashboard/API access. R2 access is via the App's signed-link path, not public buckets.
- External reports — Shopify security notices, Merchant reports, Resend delivery/abuse signals, and third-party/researcher reports sent to pfm@digitalprojectdesign.com.
Anyone who suspects an incident emails pfm@digitalprojectdesign.com (or notifies the Incident Lead directly). All suspected incidents are logged with a timestamp, what was observed, and the reporter.
5. Response process
- Identify & triage. The Incident Lead confirms whether an incident occurred, assigns a severity, and opens a brief written incident record (timeline, systems/data involved, actions taken).
-
Contain. Stop the bleeding: rotate the affected secret(s) (
wrangler secret/ Cloudflare token / Resend key / Turnstile secret rotation), revoke or re-issue compromised credentials, disable the affected route or roll back to the last known-good deployed Worker version, invalidate outstanding signed download links if attachment exposure is suspected, and/or restrict access. - Eradicate. Remove the root cause — patch the vulnerability, fix the code, remove unauthorized access, update dependencies.
- Recover. Restore correct operation. Submission data is recoverable via Cloudflare D1 point-in-time recovery (Time Travel) and redeploy from version control; R2 objects are restored from their stored keys. Verify integrity and that the issue is resolved before closing.
- Notify. See Section 6.
- Review. Within 5 business days of resolving a SEV‑1/SEV‑2, conduct a root-cause review and record remediation actions and any policy changes.
6. Notification
- Shopify. For any incident involving Shopify data or platform credentials, notify Shopify without undue delay and as required by the Shopify Partner Program Agreement and API License & Terms of Use, via the channel Shopify designates (Partner Dashboard / security contact).
- Affected Merchants (controllers). For a personal-data breach, notify each affected Merchant without undue delay after becoming aware, with the information they need to meet their own obligations — the nature of the breach, the data and approximate number of records/attachments involved, likely consequences, and the measures taken or proposed. This enables the Merchant to meet the GDPR Art. 33 72-hour supervisory-authority deadline where applicable.
- Data subjects and regulators. As processor, DPD does not notify the Merchant's Respondents or supervisory authorities directly; the Merchant (controller) is responsible for those notifications, and DPD provides reasonable assistance and information. DPD will comply with applicable California (CCPA/CPRA) and other breach-notification laws that apply to it directly.
-
Data-subject and deletion requests are handled through the App's implemented Shopify compliance webhooks —
customers/data_request,customers/redact, andshop/redact— plus the App's in-admin erasure tools; the Merchant fulfills the Respondent-facing delivery within the applicable SLA.
7. Evidence & records
Incident records, the actions taken, and relevant logs (Cloudflare Workers logs, account audit logs, D1 state, the App's audit log) are retained for at least 24 months to support review and any regulatory inquiry.
8. Review
This policy is reviewed at least annually and after any SEV‑1/SEV‑2 incident, and updated as the App's architecture or obligations change.
Contact: Digital Project Design LLC, 10441 Chaney Ave, Downey, CA 90241 · pfm@digitalprojectdesign.com