Information Security Policy

Last updated: May 30, 2026 — Effective Date: May 30, 2026

Yes — Gemhubx maintains a published, management-approved Information Security Policy and an ongoing information security program. This document describes the policies, controls, and governance practices that protect the confidentiality, integrity, and availability of the data entrusted to us. It is reviewed at least annually and updated as our platform, infrastructure, and regulatory obligations evolve.

This Information Security Policy ("Policy") establishes the security principles, controls, and responsibilities that Gemhubx, operated by Frenchy Digital L.L.C. ("Company," "we," "us," or "our"), applies across its people, processes, and technology. Gemhubx operates as a Shopify application and standalone platform accessible at https://gemhubapp.com. As a processor of merchant and end-customer data, we maintain a documented security program aligned with recognized frameworks including the NIST Cybersecurity Framework, ISO/IEC 27001, and the security requirements of the GDPR (Article 32), the CCPA, and the Shopify Partner Program.

1. Purpose & Scope

The purpose of this Policy is to define how Gemhubx protects information assets against unauthorized access, disclosure, alteration, loss, or destruction, and to demonstrate that the Company operates a structured, continually improving information security program.

This Policy applies to:

All production, staging, and development systems that store, process, or transmit Company or merchant data — including application servers, the MySQL database, background queue workers, and the Contabo VPS infrastructure
All data categories handled by the platform, including merchant account data, encrypted Shopify and WooCommerce OAuth tokens, end-customer personal data, product and pricing data, logs, and internal credentials
All employees, contractors, and temporary staff with access to Company systems
All third-party service providers and sub-processors that access Company infrastructure or data

2. Governance & Ownership

Information security is owned and sponsored by Company management. A designated security owner is responsible for maintaining this Policy, overseeing the security program, coordinating risk assessments, and ensuring controls remain effective.

Approval: This Policy is reviewed and approved by Company management.
Review cadence: The Policy and supporting program are reviewed at least annually, and additionally following any significant change to the platform, infrastructure, or threat landscape, or after any major security incident.
Accountability: All personnel are responsible for complying with this Policy and for reporting suspected security weaknesses or incidents.
Enforcement: Violations may result in disciplinary action, up to and including termination of access or engagement.

3. Risk Management

Gemhubx takes a risk-based approach to security. We periodically identify and assess risks to our systems and data, evaluate their likelihood and impact, and apply controls proportionate to the risk. Risk assessments inform decisions about architecture, vendor selection, access provisioning, and prioritization of remediation work.

4. Access Control & Authentication

Least privilege: Access to systems and data is granted on a need-to-know basis and limited to what each role requires.
Authentication: Administrative and infrastructure access requires strong, unique credentials, and multi-factor authentication is enabled where supported.
Token security: Shopify and WooCommerce OAuth tokens and API secrets are encrypted at rest and never exposed in logs or client-side code.
Session security: Sessions use secure, SameSite-scoped cookies over HTTPS, and are regenerated on privilege changes.
Provisioning & de-provisioning: Access is reviewed periodically and revoked promptly when no longer required.

5. Data Protection & Encryption

In transit: All data is transmitted over HTTPS/TLS. HTTP is redirected to HTTPS and mixed content is prohibited.
At rest: Sensitive data — including OAuth tokens, API secrets, and credentials — is encrypted at rest.
Data minimization: We collect and retain only the data necessary to operate the service, and we redact or avoid logging personal data and secrets.
Deletion & redaction: Customer personal data is deleted or redacted in response to GDPR/CCPA requests and Shopify GDPR webhooks, and is removed after merchant uninstall.

6. Network & Infrastructure Security

A managed firewall restricts inbound access to required ports only (HTTP, HTTPS, and SSH).
Cloudflare provides DDoS mitigation, TLS termination, and a protective proxy layer in front of the application.
Servers are hardened, kept patched, and run with least-privilege service accounts.
A Content Security Policy (including frame-ancestors) and standard security headers (HSTS, X-Content-Type-Options, Referrer-Policy) are enforced to mitigate clickjacking and content-injection attacks.
Webhook endpoints validate HMAC signatures and are rate-limited.

7. Secure Development & Change Management

Code is version-controlled, reviewed before release, and tested through an automated test suite covering authentication, webhook handling, and data-processing logic.
Input is validated and output is escaped; parameterized queries are used to prevent injection.
Secrets are kept out of source control and supplied through environment configuration only.
Dependencies are monitored for known vulnerabilities and updated as needed.

8. Vendor & Sub-Processor Management

We evaluate the security posture of third-party providers and sub-processors before granting them access to data or infrastructure, and we maintain contractual data-protection terms with them. Our current sub-processors and their roles are described in our Data Processing Agreement.

9. Logging & Monitoring

Application and infrastructure activity is logged and monitored to support the detection of anomalous or unauthorized behavior. Logs are retained for an appropriate period, protected against tampering, and reviewed as part of incident detection. Personal data and secrets are excluded or redacted from logs.

10. Incident Response

Gemhubx maintains a formal, documented incident response capability covering detection, classification, containment, eradication, recovery, and notification, including breach-notification obligations under GDPR and CCPA. Full details are published in our Security Incident Response Policy. Suspected incidents or vulnerabilities can be reported to [email protected].

11. Business Continuity & Backups

Critical data is backed up on a regular schedule, and recovery procedures are maintained so that service and data can be restored following a disruption, hardware failure, or data-loss event. Our data-loss prevention controls are described in our Data Loss Prevention Policy.

12. Employee Security Awareness

Personnel with access to Company systems are made aware of their security responsibilities under this Policy, including safe handling of credentials and data, recognition of phishing and social-engineering attempts, and the requirement to report suspected incidents promptly.

13. Compliance

Gemhubx's information security program is designed to meet the requirements of:

GDPR Article 32 — Security of Processing: appropriate technical and organizational measures including encryption, ongoing confidentiality and integrity, availability, and regular assessment of effectiveness.
CCPA: reasonable security procedures and practices appropriate to the nature of the personal information handled.
Shopify Partner Program: security and data-handling obligations for apps that process merchant and customer data.
Guiding frameworks: the NIST Cybersecurity Framework and ISO/IEC 27001 inform the structure of our controls.

14. Policy Review & Contact

This Policy is maintained as a living document and is reviewed at least annually. Questions about this Policy or our information security program, and requests for additional security documentation, can be directed to:

Security Team
Frenchy Digital L.L.C.
Email: [email protected]
Support: [email protected]