Data Loss Prevention Strategy
Last updated: March 23, 2026 — Effective Date: March 23, 2026
1. Purpose
This Data Loss Prevention (DLP) Strategy establishes the policies, procedures, and technical controls that Gemhubx ("we," "us," "our") employs to prevent unauthorized access, use, disclosure, modification, or destruction of data across all systems and services. The objective of this strategy is to safeguard the confidentiality, integrity, and availability of all data entrusted to us by our merchants, their customers, and our business partners.
This strategy applies to all forms of data—whether stored electronically, transmitted across networks, or maintained in physical form—and governs the behavior of all personnel, contractors, and automated systems that interact with Gemhubx data assets.
2. Scope
This DLP Strategy applies to:
- All systems and infrastructure: Production servers, staging environments, development machines, and backup systems
- All networks: Internal networks, VPN connections, third-party API communications, and webhook channels
- All data repositories: MySQL databases, file storage, log files, session stores, and cache layers
- All cloud services: Hosting providers, CDN services (Cloudflare), DNS providers, and any SaaS tools used in operations
- All endpoints: Servers, workstations, mobile devices, and any device used to access Gemhubx systems
- All personnel: Employees, contractors, consultants, and any third party with access to Gemhubx data or systems
- All integrations: Shopify API, WooCommerce API, supplier APIs, payment processors, and email services
3. Data Classification
All data processed by Gemhubx is classified into one of the following four levels. Each level dictates the minimum security controls required for handling, storage, transmission, and disposal.
| Classification |
Description |
Examples |
Handling Requirements |
| Critical |
Data whose compromise would cause severe operational or legal impact |
Shopify API keys, OAuth access tokens, database credentials, encryption keys, SSH private keys, environment secrets |
AES-256 encryption at rest; TLS 1.2+ in transit; access restricted to essential systems only; never logged in plaintext; rotated regularly |
| Confidential |
Personally identifiable information and sensitive business data |
Customer PII (names, emails, phone numbers, addresses), order data, payment information, merchant account details, store configuration |
Encrypted at rest and in transit; access limited to authorized personnel; subject to GDPR/CCPA rights; retention limits enforced; audit-logged |
| Internal |
Business operational data not intended for public disclosure |
Product catalogs, supplier pricing, wholesale costs, business analytics, internal communications, system architecture documentation |
Protected by access controls; shared only on need-to-know basis; not exposed to public-facing interfaces; standard backup procedures |
| Public |
Data intended for or already available to the general public |
Marketing materials, published legal policies, public-facing website content, app store listing, support documentation |
No special handling required; integrity controls to prevent unauthorized modification; version-controlled where applicable |
4. Encryption Standards
4.1 Data in Transit
- TLS 1.2 or higher is enforced on all HTTP connections to and from https://gemhubapp.com. TLS 1.0 and 1.1 are disabled.
- All API calls to Shopify, WooCommerce, supplier endpoints, and payment processors are transmitted exclusively over HTTPS.
- All webhook communications (inbound and outbound) are encrypted via TLS and authenticated using HMAC-SHA256 signatures.
- SSH connections to servers use key-based authentication with a minimum key length of 4096 bits.
- Database connections from the application to MySQL are encrypted when traversing networks.
4.2 Data at Rest
- AES-256 encryption is used for all stored OAuth tokens, API credentials, and encryption keys within the database.
- bcrypt (cost factor 12+) is used for hashing all user passwords. Passwords are never stored in plaintext or reversible encryption.
- Database backups are encrypted before being transferred to off-site storage.
- Environment files (
.env) containing secrets are protected by filesystem permissions (0600) and are excluded from version control.
4.3 Key Management
- Encryption keys are stored separately from the data they protect.
- The Laravel
APP_KEY is generated using a cryptographically secure random generator and is rotated in accordance with our key rotation schedule.
- API keys and tokens are rotated immediately upon suspected compromise and on a regular schedule (minimum quarterly).
- Retired keys are securely destroyed and cannot be recovered.
5. Access Control
5.1 Role-Based Access Control (RBAC)
Access to Gemhubx systems and data is governed by role-based access control. Each role is granted the minimum permissions necessary to perform its function:
- Administrator: Full system access, server management, deployment operations, and database administration
- Developer: Code repository access, staging environment access, and read-only production log access
- Support: Merchant account data viewing, order lookup, and limited system configuration
- Merchant (User): Access limited to their own store data, products, orders, and account settings
5.2 Principle of Least Privilege
All access grants follow the principle of least privilege. Users and systems are given only the minimum access rights required to perform their authorized tasks. Elevated permissions are granted on a temporary, time-limited basis and are revoked when no longer needed.
5.3 Authentication Requirements
- Multi-Factor Authentication (MFA): Required for all administrative access to servers, databases, hosting panels, and DNS management
- SSH Key-Based Authentication: Password-based SSH login is disabled on all production and staging servers. Only key-based authentication with passphrase-protected keys is permitted.
- Shopify OAuth: Merchant authentication is handled through Shopify's OAuth 2.0 flow, eliminating the need for merchants to create or manage separate passwords
- API Key Management: All API keys are unique per integration, scoped to minimum required permissions, and revocable at any time
5.4 Session Management
- Sessions are stored in the database with encrypted session data
- Session cookies are configured with
Secure, HttpOnly, and SameSite=None attributes for embedded app compatibility
- Sessions expire after a maximum of 24 hours of inactivity
- All sessions for an account are invalidated upon password change or security concern
6. Network Security
- Firewall (UFW): Only ports 22 (SSH), 80 (HTTP, redirects to HTTPS), and 443 (HTTPS) are open on production servers. All other inbound traffic is denied by default.
- Cloudflare WAF: All traffic to https://gemhubapp.com is proxied through Cloudflare, which provides Web Application Firewall rules, bot detection, and threat intelligence filtering.
- DDoS Protection: Cloudflare's DDoS mitigation absorbs volumetric and application-layer attacks before they reach origin servers.
- IP Allowlisting: Administrative interfaces and SSH access are restricted to known IP addresses where operationally feasible.
- Rate Limiting: API endpoints and authentication routes are rate-limited to prevent brute-force attacks and abuse. Shopify webhook endpoints enforce HMAC validation to reject forged requests.
- Network Segmentation: Database servers do not accept connections from the public internet. Database access is restricted to the application server only.
7. Endpoint Protection
- Server Hardening: Production servers run minimal operating system installations with only required packages. Unnecessary services and daemons are disabled.
- Regular OS Patching: Operating system and software packages are updated regularly to address known vulnerabilities. Critical security patches are applied within 48 hours of release.
- Minimal Installed Packages: Only software required for application operation (PHP, MySQL, Nginx/Apache, Composer, Node.js) is installed. Development tools and debugging utilities are not installed on production.
- Disabled Unused Services: Services such as FTP, Telnet, and unnecessary cron jobs are disabled. Only SSH, the web server, MySQL, and queue workers run on production.
- File Integrity Monitoring: Critical system files and application configuration files are monitored for unauthorized changes.
- Automatic Security Updates: Unattended security updates are enabled for the operating system to ensure timely patching of critical vulnerabilities.
8. Data Backup and Recovery
8.1 Backup Schedule
- Daily automated MySQL backups: Full database dumps are performed every 24 hours during off-peak hours
- Incremental file backups: Application files and uploaded assets are backed up incrementally on a daily basis
- Configuration backups: Server configuration files and environment settings are backed up after every change
8.2 Backup Security
- All backups are encrypted using AES-256 before transfer and storage
- Backups are stored in geographically separate off-site locations
- Access to backup storage is restricted to authorized administrators only
- Backup integrity is verified using checksums after each backup operation
8.3 Retention and Testing
- 30-day retention: Daily backups are retained for a minimum of 30 days
- 90-day extended retention: Weekly snapshots are retained for 90 days
- Quarterly restore testing: Full database and application restore tests are conducted quarterly to verify backup integrity and measure Recovery Time Objective (RTO)
- Documented recovery procedures: Step-by-step recovery runbooks are maintained and updated after each restore test
8.4 Recovery Objectives
- Recovery Time Objective (RTO): Service restoration within 4 hours of a critical failure
- Recovery Point Objective (RPO): Maximum data loss of 24 hours (aligned with daily backup schedule)
9. Monitoring and Detection
- Application Log Monitoring: Laravel application logs are continuously monitored for errors, exceptions, and security-relevant events. Logs are retained for 90 days.
- Server Access Log Monitoring: Web server access logs and SSH authentication logs are reviewed for anomalous patterns, including unusual request volumes, geographic anomalies, and failed login attempts.
- Cloudflare Security Events: Cloudflare's security dashboard is monitored for blocked threats, WAF rule triggers, bot scores, and rate-limit violations.
- Failed Authentication Alerts: Repeated failed login attempts, OAuth failures, and API authentication errors trigger alerts for investigation.
- Anomalous API Usage Detection: Unusual patterns in Shopify API usage (e.g., unexpected spikes in requests, access from unknown IPs, or calls to unauthorized endpoints) are flagged for review.
- Webhook HMAC Validation Tracking: All incoming webhooks are validated against their HMAC-SHA256 signatures. Failed validations are logged and monitored as potential indicators of spoofed or tampered requests.
- Database Query Monitoring: Slow queries, failed queries, and unusual data access patterns are logged and reviewed.
- Disk and Resource Monitoring: Server disk usage, memory consumption, and CPU utilization are monitored to detect resource exhaustion attacks or system degradation.
10. Data Retention and Disposal
Data is retained only for as long as necessary to fulfill its purpose or as required by law. The following table outlines our retention schedule:
| Data Type |
Retention Period |
Disposal Method |
| Active merchant accounts |
While account is active and app is installed |
N/A (active use) |
| Post-uninstall merchant data |
30 days after uninstallation |
Permanent deletion from database and file storage |
| GDPR redaction requests |
Processed within 48 hours of receipt |
Targeted deletion or anonymization of specified PII |
| Order and transaction records |
7 years (tax and legal compliance) |
Anonymized after retention period; originals securely deleted |
| Encrypted backups |
90 days |
Secure deletion from backup storage (cryptographic erasure) |
| User sessions |
24 hours of inactivity |
Automatic purge from session store |
| Application logs |
90 days |
Automatic rotation and secure deletion |
| Server access logs |
90 days |
Automatic rotation and secure deletion |
| Cloudflare analytics data |
As per Cloudflare's retention policy |
Managed by Cloudflare |
| Support correspondence |
3 years after last interaction |
Secure deletion from email and ticketing systems |
When data reaches the end of its retention period, it is permanently deleted or irreversibly anonymized. Deletion is verified and logged. Encrypted data may be disposed of through cryptographic erasure (destruction of the encryption key).
11. Incident Response
Gemhubx maintains a Security Incident Response Policy to address data loss events, security breaches, and other incidents. The full policy is available in our Security Policy.
Our incident response framework follows four phases:
- Detection and Identification: Automated monitoring systems and manual review processes identify potential security incidents. All personnel are trained to recognize and report suspected incidents immediately.
- Containment: Upon confirmation of an incident, immediate steps are taken to contain the threat and prevent further data loss. This may include isolating affected systems, revoking compromised credentials, and blocking malicious IP addresses.
- Eradication and Recovery: The root cause is identified and eliminated. Affected systems are restored from verified clean backups. All compromised credentials are rotated. Systems are verified clean before being returned to service.
- Post-Incident Review: A thorough post-mortem analysis is conducted within 72 hours of incident resolution. Findings are documented, lessons learned are incorporated into policies and procedures, and preventive measures are implemented to reduce the likelihood of recurrence.
In the event of a data breach affecting personal data, we will notify affected individuals and relevant supervisory authorities within the timeframes required by applicable law (72 hours under GDPR).
12. Employee and Personnel Security
- Security Awareness Training: All personnel with access to Gemhubx systems undergo security awareness training upon onboarding and receive refresher training annually. Training covers phishing, social engineering, password hygiene, data handling, and incident reporting.
- Acceptable Use Policy: All personnel acknowledge and adhere to an acceptable use policy governing the use of Gemhubx systems, data, and resources.
- Clean Desk Policy: Sensitive information is not left visible on screens or desks when unattended. Screens are locked when stepping away from workstations.
- Secure Remote Access: Remote access to production systems is permitted only through encrypted VPN or SSH connections. Public Wi-Fi is not used for accessing sensitive systems without VPN protection.
- Non-Disclosure Agreements (NDAs): All personnel and contractors sign NDAs covering confidential business information and customer data before being granted access to Gemhubx systems.
- Access Revocation: Access to all systems is revoked within 24 hours of personnel departure or role change. All credentials, keys, and tokens associated with the individual are rotated or destroyed.
13. Third-Party Risk Management
- Sub-Processor Vetting: All third-party service providers that process data on our behalf are evaluated for their security posture, compliance certifications, and data protection practices before engagement.
- Contractual Data Protection: All sub-processors are bound by data processing agreements that require them to maintain security measures at least as protective as our own, process data only as instructed, and notify us promptly of any security incidents.
- Regular Review of Third-Party Access: Third-party access permissions are reviewed quarterly. Access is revoked for any provider no longer in use or whose security posture has degraded.
- Vendor Security Assessments: Critical vendors undergo periodic security assessments, including review of their SOC 2 reports, penetration test results, or equivalent security documentation.
- Minimized Data Sharing: Only the minimum data necessary for the third party to perform its function is shared. Data is transmitted using encrypted channels exclusively.
Our current sub-processors include:
- Shopify: E-commerce platform integration (OAuth, API, webhooks)
- Cloudflare: CDN, WAF, DDoS protection, and DNS management
- Contabo: VPS hosting infrastructure
- Let's Encrypt: TLS/SSL certificate issuance
14. Compliance
Gemhubx maintains compliance with the following regulations and industry standards:
- General Data Protection Regulation (GDPR): We comply with GDPR requirements for the processing of personal data of individuals in the European Economic Area, United Kingdom, and Switzerland. This includes implementing data protection by design and by default, maintaining records of processing activities, and honoring data subject rights.
- California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA): We comply with CCPA/CPRA requirements for California residents, including the right to know, right to delete, and right to opt-out of sale of personal information. We do not sell personal data.
- Shopify Partner Requirements: We adhere to all Shopify Partner Program policies, including data protection requirements, API usage guidelines, and app store review criteria.
- PCI-DSS Awareness: Gemhubx does not store, process, or transmit cardholder data. All payment processing is handled by Shopify's PCI-DSS compliant payment infrastructure. We maintain awareness of PCI-DSS requirements to ensure we never inadvertently handle card data.
15. Policy Review
- Quarterly Review: This DLP Strategy is reviewed quarterly to ensure it remains current with evolving threats, regulatory changes, and operational modifications.
- Post-Incident Updates: This strategy is reviewed and updated following any security incident to incorporate lessons learned and strengthen controls.
- Annual Comprehensive Audit: An annual comprehensive audit of all DLP controls, procedures, and technologies is conducted to verify effectiveness and identify areas for improvement.
- Change-Driven Updates: Any significant change to infrastructure, third-party services, or data processing activities triggers a review of relevant sections of this strategy.
- Version Control: All revisions to this strategy are tracked, dated, and approved by designated security personnel.
16. Contact
For questions, concerns, or reports related to data loss prevention, data security, or this strategy, please contact:
Gemhubx Security Team
Email: [email protected]
Website: https://gemhubapp.com
To report a security vulnerability or suspected data breach, please email [email protected] immediately. Include as much detail as possible to aid in investigation.
