Documentation

Last updated: March 12, 2026

Security Incident Response Policy

This policy defines how MYNTY responds to security incidents that may affect merchant data, customer personal information, or service availability.

All access to protected customer data (email, order information) is logged via structured pii_access audit events.
Suspicious patterns (unusual volume, unauthorized access attempts) are monitored via server logs.
Any team member who suspects a breach must immediately notify the engineering lead at hello@mynty.io.

Determine the scope: which merchants, stores, and data types are affected.
Review pii_access audit logs, server logs, and database query logs to establish a timeline.
Identify the attack vector or root cause (e.g., compromised credentials, vulnerability exploit, misconfiguration).
Preserve all evidence — do not delete or modify logs during investigation.

Revoke compromised credentials (API keys, session tokens, OAuth tokens) immediately.
If a vulnerability is being actively exploited, deploy a hotfix or temporarily disable the affected endpoint.
Rotate SESSION_SIGNING_SECRET and SHOPIFY_WEBHOOK_SECRET if session or webhook integrity is compromised.

Affected merchants: Notify via email within 72 hours of confirming the incident. Include: what happened, what data was affected, what steps are being taken, and recommended actions.
Shopify: Notify Shopify Partner Support of any breach involving Shopify customer data or OAuth tokens.
Authorities: If required by GDPR, CCPA, or other applicable law, file a report with the relevant supervisory authority within the legally mandated timeframe.

Patch the root cause and deploy the fix to production.
Verify the fix with testing and confirm the attack vector is closed.
Conduct a post-incident review documenting: timeline, root cause, impact, and prevention measures.
Update security practices, monitoring, or access controls based on lessons learned.

Report security concerns to hello@mynty.io.