Security
Last updated: July 2026
How Shoptopus Responds to Security Incidents
Welcome to Shoptopus. When you sign up for any application built by Shoptopus, or make use of any service that Shoptopus offers, you accept and agree to be bound by the terms set out in this document.
Shoptopus builds and maintains a suite of Shopify apps that help merchants run their stores more efficiently. This includes Invoice Generator, which lets merchants create and customize commercial documents such as invoices, packing slips, credit notes, return labels, and shipping labels, and Bulk Image Upload, which lets merchants update product catalogs at scale. Any additional features or tools that we add to these Services in the future are also governed by this document.
We may, from time to time, revise, update, or restate this document, along with any other terms, rules, or conditions published on our website or within our applications. While we will make reasonable efforts to inform you of any such changes, you acknowledge that we are not obligated to provide notice and you waive any right to contest a provision of this Agreement on the basis of a previous change or a lack of adequate notice. If you do not accept, or are unable to comply with, the revised terms, you may not continue to use our applications. By continuing to use our applications after changes have been published on our applications and/or website, you will be considered to have accepted those changes. We reserve the right to decline to provide our services or products to anyone, at any time.
This document forms a legally binding agreement between you and Shoptopus (together referred to as "Shoptopus", "Invoice Generator", "Bulk Image Upload", "we", or "us") concerning your use of our applications and services. Please read it carefully and, where possible, retain a copy for your own records. In this Agreement, the terms "you", "your", "merchant", "store owner", "Shopify user", and "Customer" refer to you. If you access, use, or register for any Shoptopus application or service on behalf of a company or other organization, you accept these terms on that entity's behalf and represent to Shoptopus that you have the authority to bind that entity to them (in which case "you", "your", "merchant", "store owner", "Shopify user", and "Customer" refer to that entity or organization).
Policy Statement
The aim of this policy is to set out clearly the roles and responsibilities Shoptopus follows when investigating and responding to information security incidents and data breaches.
Scope
This policy applies to every information system that processes Shoptopus Data, irrespective of who owns or operates that system and of where it is located. It also extends to all personnel, including staff responsible for incident response, merchants who use our applications, contractors, and any other party authorized to access Shoptopus's assets and information resources.
Definitions
- The Security Incident Response Team is the function within Shoptopus responsible for receiving, assessing, and coordinating the response to reports of security incidents, including any events that involve Shoptopus Data and/or information systems.
- A data breach is the unauthorized access to, acquisition of, use of, or disclosure of restricted data. When a data breach takes place, Shoptopus conducts an internal investigation and risk assessment to establish its scope and impact, and complies with any applicable regulatory obligations regarding breach notification.
- An incident is any event, physical, social, or electronic, that adversely affects the confidentiality, integrity, or availability of Shoptopus's data or information systems. It also covers any actual or suspected activity that breaches Shoptopus's privacy policies or its terms and conditions.
- An information system is a combination of hardware, software, and networking components used together to carry out a specific business function. This can mean an individual computer or device, or larger arrangements involving multiple machines that work together, such as a server or a network of connected devices. The role of an information system is to process, store, and transmit data, and it may include both physical and virtual components. Examples include databases, websites, email systems, and enterprise resource planning (ERP) software.
Policy Specifics
- The Security Incident Response Team is responsible for detecting and investigating security events in order to decide whether an incident has occurred. Where an incident is confirmed, the team carries out a thorough investigation to determine its scope, cause, and the extent of any damage.
- The Security Incident Response Team directs the recovery, containment, and remediation of security incidents, including authorizing and enabling any changes to information systems that are needed to address them. The team also coordinates response efforts with external parties where an existing agreement places responsibility for an investigation with that party, and works alongside other stakeholders within Shoptopus to ensure incidents are handled promptly and effectively.
- As part of an investigation, and in line with our internal monitoring policies, the Security Incident Response Team is authorized to monitor Shoptopus's IT resources and to retrieve communications and relevant records for specific application users, including login session data and the content of communications, where this is necessary to investigate an incident.
- Any external disclosure of information concerning a security incident is subject to review and approval by Shoptopus management, in consultation with the relevant parties.
- The Security Incident Response Team may collaborate with law enforcement, government agencies, peer response teams, and relevant Information Sharing and Analysis Centers to identify and investigate security incidents. As part of this work, the team is authorized to share information about external threats and incidents with those organizations, provided that such information does not identify any individual user of a Shoptopus application. This cooperation supports the identification and prevention of security incidents and helps protect Shoptopus's information systems and data.
Reporting and Review
- Anyone with access to Shoptopus Data or information systems must report any security incident involving those assets to the Shoptopus support team at support@shoptopus.info without delay, regardless of whether they were involved in the incident. They are expected to cooperate fully with any related investigation and must not interfere with, obstruct, or prevent that investigation, nor retaliate against or discourage others from reporting an incident or taking part in an investigation.
- Personnel responsible for security administration develop and apply procedures that help users recognize and promptly report security incidents, and ensure that staff within their area are adequately trained on Shoptopus's information security policies and procedures.
- Personnel responsible for security management handle and periodically document lower-severity security incidents in line with established procedures. If they identify or are informed of a high-severity incident, they promptly escalate it to the Security Incident Response Team.
- The Security Incident Response Team responds to high-severity incidents in accordance with Shoptopus's incident response plan. It coordinates the containment, recovery, and remediation of those incidents, authorizes and expedites any changes to information systems required to do so, and, where necessary for an investigation, monitors relevant Shoptopus IT resources and retrieves the communications and records of specific users.
- Shoptopus management is responsible for ensuring that the Security Incident Response Team is adequately staffed, and the team may be supplemented with subject matter experts or additional staff as needed to respond effectively to security incidents.
Policy Violations
Failure to comply with this policy may result in disciplinary measures for staff, up to and including termination of employment. Merchants found to be in breach of this policy may have their access to our applications terminated.
Compliance
Shoptopus's policies are designed to align with applicable compliance standards, which set out how organizations should protect personally identifiable information (PII) and other sensitive data.
Contact Us
If you have questions about this Security policy, or wish to report a suspected security incident, please contact us at support@shoptopus.info.