Security & Incident Response

If you discover a security vulnerability in Chargeback Shield, please disclose it responsibly by emailing [email protected]. We will acknowledge your report within 48 hours and keep you updated as we investigate and remediate.

Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

1. Detection — Automated alerts, monitoring, or external reports identify a potential security incident.
2. Containment — Affected systems are isolated or access is revoked to prevent further impact.
3. Assessment — The engineering team determines the scope, severity, and nature of the incident, including whether personal data was affected.
4. Notification — If personal data is involved, affected merchants and Shopify are notified within 72 hours of confirmed detection, in accordance with GDPR Article 33.
5. Remediation — Root cause is addressed, patches are deployed, and controls are strengthened to prevent recurrence.
6. Post-Incident Review — A blameless post-mortem is conducted to document the timeline, impact, and improvements.

In the event of a confirmed data breach involving personal data, Chargeback Shield will:

• Notify affected merchants within 72 hours of confirmed detection.
• Notify Shopify as required under our Partner Agreement.
• Provide details of the data affected, likely consequences, and measures taken.
• Cooperate with relevant data protection authorities as required by applicable law.

• ✓AES-256-GCM encryption for all stored Shopify access tokens
• ✓HTTPS / TLS 1.2+ enforced for all data in transit
• ✓Clerk authentication with session management for all dashboard access
• ✓Rate limiting on all API endpoints to prevent abuse
• ✓Row-Level Security (RLS) on all database tables — data is always scoped to the authenticated merchant
• ✓PII access logging to the data_access_log table for all routes that read customer data
• ✓3-year automated data retention with monthly pg_cron cleanup of orders and disputes