> ## Documentation Index
> Fetch the complete documentation index at: https://docs.stockful.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Incident Response Policy

> How Stockful detects, responds to, and recovers from security incidents affecting merchant data.

**Last Updated:** July 13, 2026

This policy describes how Stockful ("we", "us") identifies, responds to, and recovers from security incidents affecting the confidentiality, integrity, or availability of the data we process on behalf of merchants. It sits alongside the [Privacy Policy](/policies/privacy-policy) and the [Data Processing Agreement](/policies/data-processing-agreement), and it defines the internal process behind the breach-notification commitment in Section 10 of the DPA.

## 1. Purpose and scope

The purpose of this policy is to ensure that security incidents are detected quickly, contained, investigated, and remediated in a consistent way, and that affected merchants are notified promptly and accurately.

This policy applies to all systems that store or process merchant or customer personal data, including our Cloudflare Workers infrastructure, PostgreSQL database (Neon), object and key-value storage (R2, KV), background job execution (Trigger.dev), and the sub-processors listed in the [DPA](/policies/data-processing-agreement#7-sub-processors).

## 2. What counts as a security incident

A security incident is any event that compromises, or that we reasonably believe may compromise, the confidentiality, integrity, or availability of data we process. Examples include:

* Unauthorised access to, or disclosure of, merchant or customer personal data.
* Compromise of application credentials, access tokens, encryption keys, or infrastructure accounts.
* Exploitation of a vulnerability in the application or a sub-processor.
* Loss, corruption, or unavailability of merchant data beyond expected service limits.
* Malware, ransomware, or other malicious activity affecting our systems.

A **personal data breach** is the subset of security incidents that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Personal data breaches trigger the notification obligations in Section 6.

## 3. Severity classification

Incidents are classified on first assessment and re-assessed as facts change:

| Severity            | Definition                                                                                                                     | Examples                                                                                                                              |
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- |
| **SEV1 — Critical** | Confirmed or highly likely unauthorised access to personal data, or a full service outage affecting all merchants.             | Database exfiltration, leaked production credentials, exposed access tokens.                                                          |
| **SEV2 — Major**    | A material security weakness or partial outage with a credible path to personal data exposure, not yet confirmed as exploited. | Exploitable vulnerability, sub-processor breach affecting our data, unauthorised access to a non-production system holding real data. |
| **SEV3 — Minor**    | A contained security issue with no evidence of personal data exposure.                                                         | Isolated misconfiguration caught before exposure, low-risk dependency vulnerability, single failed intrusion attempt.                 |

## 4. Roles and responsibilities

Given the size of our team, one person holds primary responsibility for security incident response as the **Incident Lead**. The Incident Lead:

* Owns the response from detection through to post-incident review.
* Decides severity, containment actions, and whether a personal data breach has occurred.
* Coordinates with sub-processors' security and support teams where an incident originates with or involves them.
* Owns merchant and regulator communications, or delegates drafting while retaining approval.

Where specialist help is required, we engage the relevant sub-processor's security team or external counsel.

## 5. Response process

We follow a consistent lifecycle for every incident. Steps run concurrently where appropriate; containment is never delayed for the sake of process.

1. **Detect and report.** Incidents surface through automated monitoring and alerting (Sentry error tracking, Axiom operational analytics and event logging), sub-processor notifications, or reports from merchants and security researchers sent to **[support@stockful.app](mailto:support@stockful.app)**. Anyone who suspects an incident must report it to the Incident Lead without delay.
2. **Triage and classify.** The Incident Lead confirms the incident is genuine, assigns an initial severity (Section 3), and begins an incident record capturing timeline, actions, and evidence.
3. **Contain.** Limit the blast radius — for example rotate or revoke compromised credentials and access tokens, disable affected functionality, block malicious traffic, or isolate affected systems. Preserve evidence needed for investigation.
4. **Eradicate.** Remove the root cause — patch the vulnerability, revoke unauthorised access, remove malicious artefacts, and correct the misconfiguration.
5. **Recover.** Restore affected systems and data to normal operation from known-good state, verify integrity, and confirm the issue is resolved before standing down. Where data restoration is required, we restore from the encrypted, point-in-time backups maintained by our database provider.
6. **Notify.** Where the incident is a personal data breach, follow Section 6.
7. **Review.** Conduct a post-incident review (Section 7).

## 6. Notification

Where an incident is a personal data breach, we notify each affected merchant **without undue delay, and in any event within 72 hours** of becoming aware of the breach, consistent with Section 10 of the [Data Processing Agreement](/policies/data-processing-agreement#10-personal-data-breach-notification). The notification includes, to the extent known at the time:

* The nature of the breach.
* The categories and approximate number of data subjects and records concerned.
* The likely consequences of the breach.
* The measures taken or proposed to address it and to mitigate its effects.

As a data processor, we notify the merchant (the controller) so that the merchant can meet its own obligations to supervisory authorities and data subjects under Articles 33 and 34 of the GDPR. Where an incident affects the Shopify platform integration, we also cooperate with Shopify as required. Notification is never delayed pending complete information; we send an initial notification with what is known and follow up as the investigation progresses.

## 7. Post-incident review

After every SEV1 and SEV2 incident, and at the Incident Lead's discretion for SEV3, we conduct a post-incident review that documents the timeline, root cause, impact, and the effectiveness of the response, and that agrees concrete remediation actions to reduce the likelihood and impact of recurrence. Remediation actions are tracked to completion.

## 8. Testing and maintenance

This policy is reviewed at least annually and after any SEV1 incident, and updated to reflect changes to our systems, sub-processors, and the threat landscape. Our detection and alerting configuration is reviewed as part of ongoing operations.

## 9. Reporting a security concern

If you believe you have found a security vulnerability or have witnessed a security incident affecting Stockful, please contact us as soon as possible:

* **Email:** [support@stockful.app](mailto:support@stockful.app)

Please include enough detail to reproduce or understand the issue. We investigate all reports and will acknowledge receipt.
