Security Incident Response Policy

Last updated: May 2026

This policy describes how Stashback identifies, responds to, and communicates security incidents affecting merchant or customer data.

1. Scope

This policy applies to any security incident affecting Stashback systems, including unauthorized access to merchant backup data, credential or token exposure, data breach, or infrastructure compromise.

2. What constitutes an incident

3. Detection

Incidents may be identified via application error logs, infrastructure alerts, third-party security notifications, or merchant reports. To report a security concern, please use our contact form.

4. Response steps

Upon identifying a potential incident:

  1. Contain — revoke compromised credentials, isolate affected systems, or disable affected functionality as appropriate
  2. Assess — determine the nature, scope, and which merchants or data are affected
  3. Remediate — patch the vulnerability, rotate credentials, and restore normal operation
  4. Document — record the timeline, impact, and actions taken

5. Merchant notification

If an incident results in unauthorized access to a merchant's backup data, affected merchants will be notified within 72 hours of confirmation. Notification will be sent to the store owner's email address and will include: what data was affected, what actions were taken, and any steps merchants should take.

6. Regulatory notification

Where a data breach involves personal data and meets the reporting threshold under applicable law (including GDPR), we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

7. Shopify notification

We will notify Shopify of any confirmed security incident affecting merchant data in accordance with Shopify's Partner Program requirements.

8. Post-incident review

After resolving an incident, we will conduct a review to identify the root cause and implement controls to prevent recurrence.

9. Contact

To report a security concern, please use our contact form.