Gatekeeper Security & Incident Response Policy

Last updated: June 6, 2026

Scope

This policy covers Gatekeeper's handling of merchant and customer data stored by the Gatekeeper Shopify application.

Access controls

• Production database access is limited to authorized engineering staff.
• Staff accounts use strong passwords and multi-factor authentication.
• Access to production is logged by our hosting provider.

Data loss prevention

• Secrets (.env) are never committed to source control.
• Test stores use separate databases from production.
• Personal data is minimized and automatically purged after the retention period.

Encryption

• In transit: All API and admin traffic uses HTTPS (TLS 1.2+).
• At rest: Production databases use encrypted storage and encrypted backups.

Incident response

If we confirm unauthorized access to personal data:

1. Contain: revoke compromised credentials and isolate affected systems.
2. Assess: determine scope, data types, and merchants affected.
3. Notify: inform affected merchants within 72 hours via email.
4. Remediate: patch vulnerability and rotate secrets.
5. Document: record timeline and actions taken.

Report security issues: support@gatekeeper.app

Audits

Gatekeeper has not yet completed third-party SOC 2 certification. We follow Shopify protected customer data requirements and GDPR webhook obligations.