Incident Response Policy

Last updated: April 6, 2026

Purpose

This policy describes how Panelque detects, responds to, and communicates about security incidents that may affect merchants or their customers’ personal data.

Scope

This policy applies to any event that compromises, or is reasonably suspected to compromise, the confidentiality, integrity, or availability of data processed by Panelque — including merchant store data and customer personal data obtained from Shopify.

Definitions

  • Security Incident — any unauthorized access, disclosure, alteration, loss, or destruction of data, or any event that materially disrupts Panelque services.
  • Personal Data Breach — a security incident involving customer or merchant personal data.

Roles

  • Incident Lead – the Panelque maintainer, responsible for coordinating the response end to end.
  • Technical Responders — engineers who investigate, contain, and remediate the incident.

Response Phases

1. Detection and Reporting

Incidents may be detected through application logs, infrastructure alerts, Shopify notifications, merchant reports, or third-party disclosures. Anyone who suspects an incident must report it immediately to [email protected].

2. Triage and Assessment

Within 24 hours of detection, the Incident Lead will:

  • Confirm whether an incident has occurred.
  • Classify its severity (low, medium, high, critical).
  • Determine whether personal data is affected.
  • Open an internal incident record documenting timeline, scope, and actions.

3. Containment

Immediate steps to limit impact may include revoking compromised credentials and API tokens, rotating secrets, disabling affected accounts or endpoints, isolating affected systems, and applying emergency patches.

4. Eradication and Recovery

Once contained, responders will identify and remove the root cause, restore affected systems from known-good state or encrypted backups, validate integrity, and monitor for recurrence before returning services to normal operation.

5. Notification

If a personal data breach is confirmed, Panelque will:

  • Notify affected merchants without undue delay, and in any event within 72 hours of confirmation, with the information known at that time.
  • Notify Shopify in accordance with the Shopify Partner Program Agreement and protected customer data requirements.
  • Where legally required, support merchants in notifying supervisory authorities and data subjects under applicable laws such as the GDPR.

Notifications will include, to the extent known: the nature and scope of the incident, categories of data affected, likely consequences, measures taken, and recommended steps for merchants.

6. Post-Incident Review

Within 14 days of resolution, the Incident Lead will complete a post-mortem documenting the root cause, timeline, impact, and corrective actions. Follow-up tasks (code fixes, policy updates, additional monitoring) are tracked to completion.

Preventive Controls

Panelque maintains the following baseline controls to reduce incident likelihood and impact:

  • TLS encryption for all data in transit.
  • Encryption at rest for databases, object storage, and backups via the hosting provider.
  • HMAC verification of all Shopify webhooks.
  • Per-shop data scoping to prevent cross-tenant access.
  • Restricted production access limited to authorized maintainers with strong authentication.
  • Separation of development, staging, and production environments.
  • Access and application logs retained for auditing.

Contact

To report a suspected security incident or vulnerability, please contact:

[email protected]

We aim to acknowledge reports within one business day.