Data Loss Prevention Policy
Last updated: March 3, 2026
1. Purpose
This policy defines the controls and practices Sentinel uses to prevent unauthorized access, exfiltration, or loss of customer data, including personally identifiable information (PII) obtained through Shopify and other platform integrations.
2. Data Classification
| Classification | Examples | Controls |
| Confidential | Customer names, email addresses, order data, OAuth tokens, API credentials | Encrypted at rest, access-controlled, audit-logged |
| Internal | KPI snapshots, alert configurations, brand settings, AI recommendations | Access-controlled per brand ownership |
| Public | Platform names, supported features, documentation | No special controls required |
3. Encryption Controls
3.1 Data at Rest
- Credentials: All OAuth tokens, API keys, and platform credentials are encrypted using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256) before storage in the database
- Database backups: Daily automated backups are Fernet-encrypted and stored separately from the primary database. Backups are retained for 7 days with automatic pruning of older copies
- Passwords: User passwords are hashed with bcrypt (cost factor 12) — never stored in plaintext
3.2 Data in Transit
- All external communications use HTTPS/TLS
- Webhook payloads validated via HMAC signatures (Shopify, Slack)
- OAuth flows use state parameters to prevent CSRF attacks
4. Access Controls
4.1 Authentication
- JWT-based authentication with HS256 signing and configurable token expiration
- Password requirements enforced at registration (minimum 8 characters)
- Rate limiting on authentication endpoints to prevent brute-force attacks
4.2 Authorization
- Brand-level data isolation: users can only access data for brands they own or are team members of
- Role-based access: owner, admin, analyst, viewer roles with decreasing permission levels
- All data-fetching endpoints validate brand ownership before returning data
- API rate limiting via SlowAPI on all endpoints
4.3 Staff Access
- Production database access restricted to authorized personnel only
- No plaintext credentials accessible to any staff — all credentials are Fernet-encrypted
- Railway deployment platform access controlled via team permissions
5. Data Retention & Deletion
- Customer data: Retained while the associated brand account is active. Deleted upon Shopify app uninstall per GDPR compliance webhook (
shop/redact)
- Individual customer records: Deleted within 48 hours upon Shopify
customers/redact webhook
- Backups: Encrypted backups retained for 7 days, then automatically pruned
- Logs: Application logs retained per Railway platform defaults (no customer PII in logs — PII is scrubbed before logging)
6. Data Loss Prevention Controls
6.1 Exfiltration Prevention
- CORS policy restricts API access to configured frontend origins only
- No bulk data export endpoints — data is served per-brand, per-page
- Webhook signature validation prevents unauthorized data injection
6.2 PII Scrubbing
- Customer PII (emails, names, addresses, phone numbers, SSNs, card numbers) is scrubbed from messages before AI processing
- Error logs exclude customer PII content
- AI recommendations contain aggregated metrics only, not individual customer data
6.3 Backup Integrity
- Daily encrypted backups ensure recovery capability
- Backup encryption uses the same Fernet key infrastructure as credential encryption
- Backup files are named with UTC timestamps for clear ordering and retention management
7. Monitoring & Auditing
- All authentication events are logged (success and failure)
- OAuth token refresh and expiry events are monitored and logged
- GDPR data deletion requests are logged with timestamps and scope
- Webhook HMAC validation failures are logged as potential security events
8. Policy Review
This policy is reviewed and updated at least annually, or whenever significant changes are made to data handling practices or system architecture.
9. Contact
For data protection inquiries, contact: privacy@trysignal.co