Security Incident Response Policy – Tracklayer

TrackLayer — Digital Dudes Last updated: June 2026

What Counts as an Incident

A security incident is any event that compromises or may compromise the confidentiality, integrity, or availability of merchant or customer data. Examples:

  • Unauthorised access to the production database
  • Exposed API keys, tokens, or encryption keys in code or logs
  • Data sent to the wrong merchant’s ad platform accounts
  • A third-party service (Railway, Fly.io, Google, TikTok) reports a breach affecting our data
  • Accidental deletion of merchant data

Who Is Responsible

The lead developer is the incident owner. They are responsible for detecting, containing, and communicating every incident. If the lead developer is unavailable, responsibility passes to the next available team member.

Step 1 — Detect and Assess (within 1 hour)

When an incident is suspected or reported:

  1. Confirm whether an incident actually occurred or is a false alarm
  2. Identify what data was affected (merchant credentials, customer PII, EventLog data)
  3. Identify how many merchants and end customers are potentially affected
  4. Classify severity:
    • High: customer PII exposed externally, credentials compromised, active breach in progress
    • Medium: internal misconfiguration with no confirmed external exposure
    • Low: near-miss, no data exposed, no external access

Step 2 — Contain (within 2 hours of confirmation)

For a High severity incident, immediately:

  1. Revoke compromised API keys, tokens, or access credentials
  2. Rotate the ENCRYPTION_KEY environment variable and redeploy
  3. Disable the affected merchant’s integration if their specific data was exposed
  4. Take a snapshot of logs before making any changes (preserve evidence)
  5. If the database is actively breached, take the app offline and restore from the last clean backup

For Medium and Low, contain without taking the app offline where possible.

Step 3 — Notify

Shopify: Report any breach involving merchant or customer data to Shopify’s Partner support within 24 hours of confirming the incident. Use the Partner Dashboard support channel.

Affected merchants: Notify directly by email within 48 hours of confirming the incident. Include:

  • What happened
  • What data was affected
  • What we have done to contain it
  • What they should do (e.g. rotate their GA4 API secret)

Supervisory authority (GDPR): If the incident involves personal data of EU/EEA residents, report to the relevant data protection authority (in the Netherlands: Autoriteit Persoonsgegevens) within 72 hours of becoming aware of the breach. Report at autoriteitpersoonsgegevens.nl.

If fewer than 250 individuals are affected and the risk to their rights is low, the supervisory authority notification may not be required — assess case by case.

Step 4 — Resolve and Review (within 7 days)

  1. Confirm the vulnerability is fully closed
  2. Verify no residual access exists
  3. Write a brief internal post-mortem: what happened, root cause, what changes prevent recurrence
  4. Update this policy or the app’s security setup if the incident revealed a gap

Data Retention and Deletion

  • EventLog data is purged after 90 days via automated job
  • On receipt of a merchant uninstall webhook, all their data is deleted immediately
  • Merchants can request manual deletion at any time by contacting support

Contact

Security concerns or incident reports: contact the lead developer directly via internal channels or at the registered company email address. info@digitaldudes.nl