Security and incident response
EcoTraceIT applies technical and organisational controls proportionate to its minimised data set.
Last updated: 13 July 2026
Controls
- TLS in transit and provider-managed protection at rest.
- Secrets stored in a secret manager and never committed.
- Least privilege, Shopify session tokens and webhook HMAC validation.
- Structured logs without direct customer data, dependency checks and managed backups.
- Separate environments and credentials where applicable; test data is not used commercially.
Incident handling
Report vulnerabilities to mikforlani@gmail.com with subject SECURITY. We acknowledge, contain, assess impact and root cause, recover safely, and notify merchants, Shopify and authorities within applicable deadlines. Please coordinate disclosure until remediation is available.