Security & Incident Response Policy

AMNYA Technology — Last updated: May 2026

AMNYA Technology develops and operates Shopify apps for merchants. We take the security of merchant data and customer information seriously. This page describes our security practices and the steps we take when a security incident occurs. This policy applies to all apps published by AMNYA Technology.

1. Data We Access

Each AMNYA Technology app accesses only the minimum data required to provide its specific functionality, as declared during installation through Shopify's permission system. Data is accessed exclusively through the Shopify Admin API and is used solely to deliver the app's stated features to the merchant.

We do not sell, share, or use merchant or customer data for any purpose beyond providing the app's functionality. We do not access payment details, customer passwords, or any data beyond what is explicitly requested during installation.

2. Data Protection Practices

Encryption

All data is encrypted in transit using TLS 1.2 or higher (HTTPS enforced everywhere).
Shopify access tokens are encrypted at rest using AES-256 before being stored in the database.
Database backups are encrypted at rest.

Access Control

Access to production systems is restricted to authorized AMNYA Technology personnel only.
No third-party staff have access to merchant or customer data.

Data Isolation

Development and production environments are fully separate with no shared data.
Each merchant's data is logically isolated within the database — no merchant can access another merchant's data.

Retention

Data is retained only as long as necessary to provide app functionality. Merchants may contact us at any time to request deletion of their data.
When a merchant uninstalls an app, their Shopify access token is immediately cleared from our database.

Access Logging

Significant data processing events are logged in an audit trail tied to the merchant's account, allowing us to investigate any concerns about data access.

3. Security Incident Response

To report a security vulnerability, email us at security@amnyatech.com. We respond to all security reports within 72 hours.

What Constitutes a Security Incident

A security incident includes, but is not limited to:

Unauthorized access to merchant or customer data
Exposure of Shopify access tokens or API credentials
A data breach affecting any personal information we process
Compromise of our production infrastructure
Vulnerability discovered in our application that could expose data

Response Process

Detection: Upon becoming aware of a potential incident, we immediately begin investigation to assess scope and severity.
Containment: We isolate affected systems, revoke compromised credentials, and block further unauthorized access.
Assessment: We determine what data was accessed, which merchants or customers are affected, and the root cause.
Merchant notification (within 72 hours): Affected merchants are notified by email with details of what happened, what data was involved, and what steps we have taken.
Remediation: We patch the vulnerability, rotate all affected credentials, and deploy fixes.
Post-incident review: We conduct a full review, document lessons learned, and update our practices to prevent recurrence.

Shopify Notification

In the event of a breach involving Shopify merchant or customer data, we will notify Shopify in accordance with our Partner Agreement and applicable data protection laws.

4. Merchant Responsibilities

Merchants are responsible for keeping their Shopify store credentials secure and for ensuring that any email addresses or external services configured within our apps are controlled by authorized personnel only.

5. Contact

For security concerns or data-related requests:

Security reports: security@amnyatech.com
General support: support@amnyatech.com
Data deletion requests: support@amnyatech.com