CreditOps Security & Incident Response Policy

Last updated: July 10, 2026

This policy describes how Talivio Technology OÜ, the operator of CreditOps, protects the personal data (customer name and email) that the app processes, and what we do if a security incident affects it. It supplements our Privacy Policy.

1. Scope

CreditOps is operated by a single-person team. This policy is intentionally sized to that reality: it is a concrete, followable process rather than a framework built for a larger organization. It covers the production server, database, and source code repository that store or process merchant and customer data on our behalf.

2. What we protect

3. Preventive measures currently in place

ControlStatus
All traffic encrypted in transit (HTTPS/TLS)In place
Access to the production server and database limited to the operatorIn place
Access logging for reads of customer name/email (sync and lookup operations)In place — see Privacy Policy
Retention limits and deletion jobs tied to Shopify's mandatory GDPR webhooksIn place — see Privacy Policy
Customer name/email encrypted at rest in the database (AES-256)In place
Nightly database backups, encrypted (AES-256), 30-day retentionIn place
Formal password-manager / MFA policy for operator accountsNot yet formalized

We disclose gaps here rather than overstate our posture; merchants evaluating the app should weigh this against the sensitivity of the data involved (store credit balances and customer name/email — no payment card data, and no data beyond what Shopify itself already holds).

4. What counts as a security incident

Any event that risks the confidentiality, integrity, or availability of the data in section 2 — for example, unauthorized access to the production server or database, a leaked or compromised Shopify access token, loss of a device with access to production systems, or a vulnerability that could have been exploited to read or alter merchant or customer data.

5. Response process

  1. Detect. Via server/application error monitoring, Shopify API error alerts, or a report from a merchant, security researcher, or Shopify.
  2. Contain. Revoke or rotate the affected credentials (Shopify access tokens, server/DB credentials, deploy keys) immediately; if the production server itself is compromised, take the affected service offline rather than leave it exposed.
  3. Assess. Determine what data was accessible, to whom, and for how long, using application logs, the personal-data-access audit log (section 3), and server access logs.
  4. Notify.
  5. Remediate. Fix the underlying cause (patch, config change, credential rotation, code fix) before restoring the affected service.
  6. Review. After the incident is resolved, document what happened, why, and what changes (technical or process) will prevent a repeat. This policy is updated if the review identifies a gap in it.

6. Reporting a security issue

If you believe you've found a security vulnerability in CreditOps, please report it to [email protected]. We ask that you give us a reasonable opportunity to investigate and address a report before disclosing it publicly, and that you don't access, modify, or delete data that isn't yours while investigating.

7. Contact

Talivio Technology OÜ (registry code 16991406), Ahtri tn 12, Kesklinna linnaosa, Tallinn, Harju maakond, 15551, Estonia — [email protected].