Security Incident Response Policy

Last updated: May 14, 2026

Purpose

PickAndPack is committed to protecting the personal data of merchants and their customers. This policy defines how we identify, respond to, and recover from security incidents that may affect the confidentiality, integrity, or availability of data processed by our application.

Scope

This policy applies to all systems, services, and data handled by PickAndPack, including order data fetched from Shopify, generated PDF documents stored in cloud storage, and application infrastructure.

What Constitutes a Security Incident

A security incident includes, but is not limited to:

  • Unauthorized access to merchant or customer data
  • Exposure of Shopify API credentials or session tokens
  • Data breach affecting stored PDF documents or database records
  • Compromise of application infrastructure or cloud storage
  • Malicious code injection or unauthorized modification of templates

Response Procedure

Upon detection or report of a suspected security incident, we follow these steps:

1. Identification

Confirm whether a security incident has occurred. Assess the nature and scope of the potential breach, including what data may have been affected and how many merchants or customers are involved.

2. Containment

Take immediate steps to limit the impact. This may include revoking compromised credentials, taking affected systems offline, restricting access to cloud storage, or disabling the application temporarily.

3. Assessment

Determine what data was accessed or exposed, the root cause of the incident, and the potential risk to affected merchants and their customers.

4. Notification

Notify affected merchants via email within 72 hours of confirming a breach. The notification will include what happened, what data was involved, what we are doing about it, and recommended actions for the merchant. We will also report the incident to Shopify Partner Support as required.

5. Remediation

Fix the vulnerability that caused the incident. Deploy updated code, rotate credentials, and verify that the issue has been fully resolved before restoring normal service.

6. Review

Conduct a post-incident review to document what occurred, what was done in response, and what changes will be made to prevent similar incidents in future.

Reporting a Security Issue

If you have discovered a potential security vulnerability or incident involving PickAndPack, please report it immediately by emailing security@javabeanai.com. We take all reports seriously and will respond promptly.

Data Protection Standards

To minimise the risk of incidents, PickAndPack maintains the following security practices:

  • All data is encrypted in transit using HTTPS/TLS
  • Data at rest is encrypted in cloud storage (Backblaze B2)
  • Shopify access tokens are stored securely and never exposed publicly
  • Access to production systems is restricted to authorised personnel only
  • Test and production environments are kept separate
  • Regular backups are maintained and encrypted

Policy Review

This policy is reviewed at least annually and updated as needed to reflect changes in our systems, services, or regulatory requirements.

Privacy Policy · Terms of Service

© 2026 PickAndPack. All rights reserved.

Developed by JavaBeanAI