Professional List Manager — Security Incident Response Policy

Effective date: May 27, 2026    Last updated: May 27, 2026    Owner: Digital Project Design LLC ("DPD")

This policy describes how DPD detects, responds to, and reports security incidents affecting the Professional List Manager application (the "App") for Shopify and the data it processes.

Our role. For a Merchant's Customer data, DPD acts as a data processor on behalf of the Merchant (the data controller). Where this policy refers to notifying or assisting Merchants, that is our processor obligation under our Data Processing Addendum and GDPR Art. 28/33.

1. Scope

This policy covers the systems and data DPD operates to run the App:

  • Application code — the Cloudflare Worker (React Router app) and Shopify extensions, version-controlled in DPD's private repository.
  • Data stores — Cloudflare D1 databases: the control-plane database (Shopify sessions + the shop→tenant mapping) and the per-tenant databases (Lists, list items, settings). All D1 data is encrypted at rest by Cloudflare.
  • Secrets and credentials — Shopify API keys/secrets, the Cloudflare API token, and Storefront tokens, stored as Worker secrets (never in source).
  • Operator accounts — the Cloudflare, Shopify Partner, and source-control accounts used to deploy and operate the App.

Data-minimization note. The App does not store Customer name, email, phone, or address. Customer name/email are read live from the Shopify Admin API to display in the merchant admin and are not persisted; the databases hold only Shopify identifiers (GIDs), list names, quantities, audit identifiers, and timestamps. This materially limits the data at risk in any incident.

2. What counts as an incident

A security incident is any actual or reasonably suspected event that compromises the confidentiality, integrity, or availability of the systems or data above — for example: unauthorized access to a data store or operator account, leaked credentials, exploitation of a vulnerability, data exfiltration, unintended exposure of one tenant's data to another, or malware in the build/deploy pipeline.

A personal-data breach is an incident that leads to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to personal data the App processes.

Severity

Level Definition Initial response target
SEV‑1 — Critical Confirmed unauthorized access to, or exfiltration of, personal data; cross-tenant data exposure; compromise of a production credential or the deploy pipeline. Begin response immediately, within 4 hours of detection.
SEV‑2 — High Suspected or potential exposure; an actively exploitable vulnerability in production; partial service compromise with no confirmed data access. Begin response within 24 hours.
SEV‑3 — Low Minor issue with no realistic path to personal-data exposure (e.g., a contained bug, a low-risk dependency advisory). Triage within 3 business days.

3. Roles

DPD is a small team; roles may be held by the same person.

  • Incident Lead — coordinates the response, makes containment decisions, and owns external notifications. Primary: the DPD principal. Backup: the second DPD operator.
  • Reporter — anyone (DPD operator, Shopify, a Merchant, a researcher, or an automated alert) who identifies a possible incident.

4. How incidents are detected and reported

  • Monitoring — Cloudflare Workers observability/logs are enabled in production; every request, including those that read Customer name/email, is logged at the platform level. Cloudflare account audit logs record dashboard/API access.
  • External reports — Shopify security notices, Merchant reports, and third-party/researcher reports sent to plm@digitalprojectdesign.com.

Anyone who suspects an incident emails plm@digitalprojectdesign.com (or notifies the Incident Lead directly). All suspected incidents are logged with a timestamp, what was observed, and the reporter.

5. Response process

  1. Identify & triage. The Incident Lead confirms whether an incident occurred, assigns a severity, and opens a brief written incident record (timeline, systems/data involved, actions taken).
  2. Contain. Stop the bleeding: rotate the affected secret(s), revoke or re-issue compromised credentials, disable the affected route or roll back to the last known-good deployed Worker version, and/or restrict access.
  3. Eradicate. Remove the root cause — patch the vulnerability, fix the code, remove unauthorized access, update dependencies.
  4. Recover. Restore correct operation. Data is recoverable via Cloudflare D1 point-in-time recovery (Time Travel) and redeploy from version control. Verify integrity and that the issue is resolved before closing.
  5. Notify. See Section 6.
  6. Review. Within 5 business days of resolving a SEV‑1/SEV‑2, conduct a root-cause review and record remediation actions and any policy changes.

6. Notification

  • Shopify. For any incident involving Shopify data or platform credentials, notify Shopify without undue delay and as required by the Shopify Partner Program Agreement and API License & Terms of Use, via the channel Shopify designates (Partner Dashboard / security contact).
  • Affected Merchants (controllers). For a personal-data breach, notify each affected Merchant without undue delay after becoming aware, with the information they need to meet their own obligations — the nature of the breach, data and approximate number of records involved, likely consequences, and the measures taken or proposed. This enables the Merchant to meet the GDPR Art. 33 72-hour supervisory-authority deadline where applicable.
  • Data subjects and regulators. As processor, DPD does not notify the Merchant's Customers or supervisory authorities directly; the Merchant (controller) is responsible for those notifications, and DPD provides reasonable assistance and information. DPD will comply with applicable California (CCPA/CPRA) and other breach-notification laws that apply to it directly.
  • Data-subject and deletion requests are handled through the App's implemented Shopify compliance webhooks — customers/data_request, customers/redact, and shop/redact — which surface or delete the relevant data; the Merchant fulfills the Customer-facing delivery within the applicable SLA.

7. Evidence & records

Incident records, the actions taken, and relevant logs (Cloudflare Workers logs, D1 state, audit identifiers) are retained for at least 24 months to support review and any regulatory inquiry.

8. Review

This policy is reviewed at least annually and after any SEV‑1/SEV‑2 incident, and updated as the App's architecture or obligations change.

Contact: Digital Project Design LLC, 10441 Chaney Ave, Downey, CA 90241 — plm@digitalprojectdesign.comhttps://www.digitalprojectdesign.com