Security Incident Response Policy

This Security Incident Response Policy ("Policy") outlines the procedures dStudio follows in the event of a security incident, in compliance with Shopify and Etsy's requirements, as well as applicable data protection laws.

1. Introduction

dStudio is committed to protecting the security of Customer data. This Policy provides a framework for responding to security incidents to minimize the impact and ensure compliance with legal and regulatory obligations.

2. Definitions

A security incident is defined as any event that compromises the confidentiality, integrity, or availability of Customer data. This includes, but is not limited to:

  • Unauthorized access to systems or data
  • Data breaches or leaks
  • Malware or ransomware attacks
  • Denial of Service (DoS) attacks
  • Phishing or social engineering attacks

3. Incident Response Team

dStudio has established an Incident Response Team (IRT) responsible for managing security incidents. The IRT includes representatives from the following departments:

  • Information Technology
  • Legal and Compliance
  • Customer Service
  • Communications

4. Incident Reporting

All employees, contractors, and third parties are required to report suspected security incidents immediately. Reports can be made through the following channels:

5. Incident Response Procedure

Upon receiving a security incident report, the IRT will follow these steps:

Identification

Confirm the occurrence of a security incident and gather relevant details, including the nature and scope of the incident.

Containment

Implement measures to contain the incident and prevent further damage. This may include isolating affected systems, disabling compromised accounts, or blocking malicious traffic.

Eradication

Identify and eliminate the root cause of the incident. This may involve removing malware, closing vulnerabilities, or updating security protocols.

Recovery

Restore affected systems and data to normal operation. This includes verifying the integrity of systems and ensuring that security measures are in place to prevent recurrence.

Notification

Notify affected Customers, regulatory authorities, and other stakeholders as required by law and in accordance with Shopify and Etsy's policies. Notifications will include:

  • A description of the incident
  • The types of data involved
  • Steps taken to address the incident
  • Contact information for further inquiries

Documentation

Document all actions taken during the incident response process, including timelines, decisions, and communications. This documentation will be used for post-incident analysis and reporting.

6. Post-Incident Review

After resolving a security incident, the IRT will conduct a post-incident review to evaluate the response and identify areas for improvement. This review will cover:

  • Effectiveness of the response actions
  • Impact of the incident
  • Lessons learned
  • Recommendations for enhancing security measures

7. Compliance with Shopify and Etsy

dStudio agrees to comply with the security incident response requirements of Shopify and Etsy, including:

  • Maintaining an effective incident response plan
  • Promptly addressing security incidents and mitigating risks
  • Notifying Shopify and Etsy of any significant security incidents involving their platforms

8. Policy Review and Updates

dStudio reviews this Policy annually or as required to ensure compliance with legal and regulatory requirements and Shopify and Etsy's policies. Updates to this Policy will be communicated to employees and relevant stakeholders through our website or other communication channels.

9. Contact Information

For any questions or concerns regarding this Policy or our security incident response practices, please contact us at:

dStudio
The Old Church Hall
7 London Road
Little Clacton
Essex
CO16 9RW
hello@dstudiouk.com
01255 860800

Data Protection Policy - Data Retention Policy - Security Incident Response Policy - API Docs