Storefront Curator

Personalizing Customer Accounts

Data Loss Prevention (DLP) Strategy

last updated November 12th, 2024

Our DLP strategy aims to protect customer and merchant data by implementing strict access controls, limiting data storage, and using encrypted, isolated environments. Below is a comprehensive overview of our approach, including best practices that reinforce data security and prevent unauthorized access.

1. Environment Separation and Access Controls

  • Environment Segregation: We maintain three distinct environments for development, staging, and production, each with dedicated infrastructure. This segregation minimizes risk by preventing cross-environment dependencies.
  • Production Access Management: Production API keys and tokens are stored as secrets in our Cloudflare environment and are never saved in plain text. Only authorized personnel have access to these keys, with all access logged and monitored.
  • Permissions for Deployment and Production Access: Only essential team members are granted permissions to deploy code or access production environments. We follow strict access protocols for API keys and production resources, which enhances security and accountability.

2. Data Storage and Minimization

  • Minimal Data Storage Policy: We only retain the minimum required Shopify data to support query patterns and our rule builder functionality.
  • Dedicated SQLite Databases for Each Merchant: Each merchant’s data is stored in a separate SQLite database on Cloudflare Durable Objects, ensuring data isolation across merchants. Limited customer and order information are stored solely for operational purposes and are not backed up.
  • Data Derivation from Shopify: Customer data is derived from the Shopify store data and not backed up outside our system. In case of data corruption or deletion (e.g., due to a merchant uninstalling the app), we regenerate the necessary data directly from Shopify, eliminating the need to store additional backups.

3. Data Access and Security Protocols

  • Access to Durable Objects: Each Durable Object (DO) instance is accessible only via authenticated Remote Procedure Calls (RPC). Shopify’s Remix authentication library verifies and authorizes every RPC request to ensure access is restricted to the appropriate store.
  • Restricted Data Retrieval: Our RPC methods are designed solely for secure data processing, not for extraction or querying customer data. This approach prevents any direct access to customer data from the front end or any other part of our application.
  • Structured Logging: All logging is structured to avoid accidental data leaks. We follow a “no sensitive data in logs” policy, ensuring that logs capture relevant operational data without exposing any customer information.

4. Data Transmission and Network Security

  • Secure Data Ingestion: All customer data is received from Shopify via webhooks or bulk query API and remains within our private network environment. No customer data is transmitted over public networks, mitigating interception risks.
  • Black Box Rule Engine: The rule engine operates as a black box, where only necessary instructions and functionality flow from the primary application to the rule engine DO via RPC. No data is returned or exposed externally from the rule engine.
  • Evaluation Results Handling: Post-evaluation, only metaobject IDs are saved to app-namespaced Shopify metafields. This ensures that customer data is never transmitted over networks and remains within our secure environment.

5. Developer Access and Data Obfuscation

  • RPC Over GraphQL, REST, or ORM: By using RPC rather than GraphQL, REST, or ORM for frontend communication, we prevent untraceable or unauthorized developer access to production Personally Identifiable Information (PII) data. This design choice protects both customer and merchant data from potential misuse.
  • Role-Based Access Control (RBAC): Developers have limited access to data based on their role, reducing the potential for unauthorized data access. Any data access by developers is fully logged and traceable.

6. Best Practices and Additional Security Measures

  • Regular Security Audits: We conduct regular security audits to review access control, logging protocols, and data handling procedures, ensuring continuous improvement and adherence to best practices.
  • Data Encryption: All sensitive data is encrypted both at rest and in transit, adding an additional layer of security.
  • Event-Based Monitoring and Alerts: We use event-based monitoring to track access patterns and set up alerts for unusual activity, allowing for rapid response to potential threats.
  • Employee Training: Regular training sessions on data handling, security protocols, and privacy regulations are conducted for all team members, reinforcing security-first practices.