maevn.ai
← Back to home

Security Incident Response Policy

Last updated: February 20, 2026

1. Purpose

This Security Incident Response Policy defines how Maevn AI ("Maevn," "we," "us," or "our") identifies, responds to, and recovers from security incidents that could affect the confidentiality, integrity, or availability of merchant and customer data processed by the Maevn Shopify application (the "App").

Our goal is to minimize the impact of any security event, restore normal operations as quickly as possible, and communicate transparently with affected parties.

2. Scope

This policy applies to all security incidents involving:

  • The Maevn application, API endpoints, and backend infrastructure.
  • Merchant data including store configurations, API tokens, and analytics data stored in our systems.
  • End-user behavioral data and any voluntarily provided email addresses.
  • Third-party integrations including Shopify API, Anthropic (Claude AI), Klaviyo, and infrastructure providers (Railway, Upstash).
  • All Maevn team members, contractors, and service providers with access to production systems.

3. Definitions

  • Security Incident: Any event that compromises or has the potential to compromise the confidentiality, integrity, or availability of data or systems. Examples include unauthorized access, data breaches, malware infections, denial-of-service attacks, and accidental data exposure.
  • Security Event: An observable occurrence that may indicate a potential security incident, such as unusual login activity, anomalous API traffic, or failed authentication attempts.
  • Data Breach: A confirmed incident where protected data has been accessed, disclosed, or acquired by an unauthorized party.

4. Incident Severity Levels

Critical (P0)

Active, confirmed breach of merchant or customer data; compromised API tokens or credentials; unauthorized access to production databases. Requires immediate response (within 1 hour).

High (P1)

Suspected breach or unauthorized access attempt with evidence of partial success; vulnerability actively being exploited; service outage affecting data integrity. Response within 4 hours.

Medium (P2)

Discovered vulnerability that could be exploited but has not been; suspicious activity that requires investigation; third-party provider reports a security issue. Response within 24 hours.

Low (P3)

Minor policy violations; failed attack attempts with no impact; routine security alerts from monitoring systems. Response within 72 hours.

5. Incident Response Phases

5.1 Detection & Identification

We detect potential incidents through:

  • Automated monitoring and alerting on infrastructure metrics, error rates, and anomalous API usage patterns.
  • Application-level logging of authentication events, API access patterns, and data access.
  • Third-party security notifications from Shopify, Railway, Upstash, and Anthropic.
  • Reports from merchants, security researchers, or team members.

Upon detection, the incident is logged with a timestamp, initial description, affected systems, and a preliminary severity classification.

5.2 Containment

Immediate containment measures are taken to limit the scope and impact of the incident:

  • Short-term: Isolate affected systems, revoke compromised credentials, block malicious IP addresses, and disable affected API endpoints if necessary.
  • Long-term: Apply patches, rotate all potentially compromised secrets and tokens, strengthen access controls, and implement additional monitoring.

5.3 Eradication

Once contained, we work to eliminate the root cause:

  • Identify and remove any malicious code or unauthorized access points.
  • Patch vulnerabilities that allowed the incident to occur.
  • Verify that all compromised credentials have been rotated.
  • Conduct a thorough review of affected systems to ensure no persistence mechanisms remain.

5.4 Recovery

  • Restore affected systems from verified clean backups if necessary.
  • Gradually restore services with enhanced monitoring.
  • Validate data integrity before resuming normal operations.
  • Confirm that all security controls are functioning correctly.

5.5 Post-Incident Review

Within 5 business days of resolution, we conduct a post-incident review that includes:

  • A detailed timeline of events from detection through recovery.
  • Root cause analysis identifying what failed and why.
  • Assessment of the response effectiveness and areas for improvement.
  • Concrete action items with owners and deadlines to prevent recurrence.
  • Updates to this policy, monitoring, or infrastructure as warranted.

6. Notification Procedures

6.1 Affected Merchants

If an incident involves merchant data, we will notify affected merchants within 72 hours of confirming the breach. Notification will include:

  • A description of the incident and the type of data involved.
  • The measures we have taken and are taking to address the incident.
  • Recommended actions merchants should take (e.g., rotating API keys).
  • Contact information for our security team.

6.2 Shopify

We will notify Shopify of any security incident affecting merchant data or App functionality in accordance with Shopify Partner Program requirements and applicable API terms of service.

6.3 Regulatory Authorities

Where required by applicable data protection laws (including GDPR), we will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying data breach. If the breach is likely to result in a high risk to affected individuals, we will also directly notify those individuals.

6.4 Law Enforcement

If we have reason to believe the incident involves criminal activity, we will engage law enforcement as appropriate while preserving evidence and maintaining chain of custody.

7. Data-Specific Considerations

Given the nature of data we process, our response prioritizes:

  • Merchant API tokens: Immediate revocation and re-authentication through Shopify OAuth if token compromise is suspected.
  • Email addresses: Notification to any customers whose voluntarily provided email addresses may have been exposed.
  • Behavioral data: Assessment of whether anonymized session data could be re-identified in combination with other compromised data.
  • AI processing data: Verification with Anthropic that no product data sent to the Claude API was intercepted or retained outside normal processing.

8. Preventive Measures

We maintain the following security controls to reduce incident likelihood:

  • All data in transit encrypted via HTTPS/TLS; data at rest encrypted in PostgreSQL (Railway) and Redis (Upstash).
  • Scoped Shopify API tokens with least-privilege access (read products, manage discounts).
  • No personally identifiable information sent to third-party AI services.
  • Automatic expiration of session data after 30 minutes of inactivity.
  • Regular dependency audits and security patching.
  • Infrastructure access restricted with role-based controls and multi-factor authentication.

9. Roles & Responsibilities

  • Incident Lead: Coordinates the response, makes containment decisions, and serves as the primary point of contact for the duration of the incident.
  • Engineering: Investigates technical root cause, implements containment and eradication measures, and restores services.
  • Communications: Drafts and delivers notifications to affected merchants, Shopify, and regulatory authorities as required.

10. Reporting a Security Concern

If you are a merchant, security researcher, or anyone who has discovered a potential security vulnerability or incident involving Maevn, please contact us immediately:

Email: security@maevn.ai

We take all reports seriously and will acknowledge receipt within 24 hours. We ask that you provide a detailed description of the concern, steps to reproduce (if applicable), and refrain from publicly disclosing the issue until we have had a reasonable opportunity to investigate and address it.

11. Policy Review

This policy is reviewed and updated at least annually, or following any significant security incident. Changes will be reflected in the "Last updated" date above.