Skip to main content

Data Breach Policy

Learn about our procedures in the unlikely event that your data becomes exposed due to a data breach.

Bart C avatar
Written by Bart C
Updated over 2 weeks ago

Discount Ninja (the "App”) provides the ability to manage promotions (the "Service") to you (the "Merchant") who uses Shopify to power their store.

This Data Breach Policy describes how we manage situations where your data becomes available due to a data breach.

What is at risk & our exposure

  • The data we store on behalf of you (the merchant)

    • consists of your promotions/offers configuration, usage/analytics data, and related metadata.

    • it does not include payment data, order data or PII of your customers.

  • Given the nature of the data, there is a potential competitive risk if an adversary obtained access to another merchant’s promotions, segmentation, analytics (or your own). So we treat this as confidential and business-sensitive data.

  • We use Microsoft Azure as our cloud platform. Azure implements a broad set of technical and organizational controls (encryption, monitoring, incident-response, certified data-centres, etc).

  • That said, security is a shared responsibility: Microsoft protects the infrastructure and platform layers, but we as the SaaS provider are responsible for the application layer, data access controls, secure coding, logging/monitoring, backups, etc.

Incident / breach response process

  • Upon detection of a potential breach (unauthorised access to customer data or to our system), we will assess the scope (what data, how many records, which customer(s), how long exposed) and decide whether this constitutes a “reportable breach”.

  • If we determine your data was impacted (or highly likely to be impacted), we will notify you promptly, with the following information (as far as is known at that time):

    • nature of breach (what happened)

    • which data was at risk / exposed

    • how long the exposure lasted (if known)

    • what we are doing to contain the incident and remediate

    • what you should do (e.g., reset credentials, review access logs, apply additional restrictions)

  • We will follow up with further updates as our investigation proceeds, and provide a post-incident summary and any remediation steps.

  • We recognise that in certain jurisdictions (e.g., EU under General Data Protection Regulation) there are regulatory obligations to notify data-subjects and regulators within tight time-frames; we will assist you in fulfilling your obligations, where needed.

Impact / mitigation for you

  • You should expect us to treat any breach of your data as a serious event, and to prioritise containment (e.g., closing the vulnerability, revoking access, isolating affected systems) and mitigation (e.g., complete logs review, forensic analysis, credential resets if applicable).

  • We will review whether any of your competitive or proprietary information has been exposed, and recommend (or apply) remedial steps (for example: resetting all service credentials, rotating API keys, re-issuing access tokens, etc.).

  • We will review whether any of your data needs to be restored from backups, whether any data integrity was compromised, and whether analytics/configuration must be re-validated.

  • We will review & strengthen our security controls post-incident (lessons learned, root-cause fix, process improvements) so as to reduce likelihood of recurrence.

Related Articles
Terms and Conditions
Data Processing Agreement
Did this answer your question?