Security Best Practices

Protect your digital content and customer data with comprehensive security best practices.

Understanding Digital Content Security

Security Layers

Multi-layer protection:

Layer 1: Access Control
• Authentication (customer verification)
• Authorization (purchase validation)
• Fraud prevention
• IP restrictions

Layer 2: Download Security
• Time-limited access (expiry)
• Usage limits (download count)
• Unique tokens (one-time use)
• IP tracking

Layer 3: Content Protection
• File watermarking
• Encryption in transit (HTTPS)
• Encrypted storage
• CDN signed URLs

Layer 4: Monitoring
• Access logs
• Anomaly detection
• Fraud pattern recognition
• Alerting

Layer 5: Incident Response
• Breach detection
• Customer access revocation
• Legal action procedures
• Post-incident review

Security Risks

Common threats:

Risk: Unauthorized sharing
Impact: Lost revenue, content piracy
Likelihood: High
Mitigation: Watermarking, download limits

Risk: Account takeover
Impact: Unauthorized downloads
Likelihood: Medium
Mitigation: Strong authentication, fraud detection

Risk: Payment fraud
Impact: Chargebacks, content loss
Likelihood: Medium
Mitigation: Fraud prevention, Shopify fraud analysis

Risk: API abuse
Impact: System overload, data theft
Likelihood: Low
Mitigation: Rate limiting, API key security

Risk: Data breach
Impact: Customer data exposed, GDPR fines
Likelihood: Low
Mitigation: Encryption, access controls, audits

Download Security

Expiry Settings

Strategic expiry configuration:

By product value:

Low value (<$30):
Expiry: 30-60 days
Reasoning:
• Balances security and convenience
• Most downloads within first week
• Reduces piracy window
• Allows re-download if needed

Examples:
• Single PDF guide: 30 days
• Worksheet template: 45 days
• Small audio file: 60 days

Medium value ($30-$100):
Expiry: 60-90 days
Reasoning:
• Gives customers flexibility
• Reduces support requests
• Still limits redistribution window
• Standard industry practice

Examples:
• Course bundle: 90 days
• Software template pack: 60 days
• Video tutorial series: 75 days

High value (>$100):
Expiry: 30-60 days
Reasoning:
• Stricter protection for premium content
• Encourages immediate download
• Limits piracy exposure
• Can extend on request

Examples:
• Premium course: 45 days
• Comprehensive software: 30 days
• Master class collection: 60 days

Custom expiry policies:

Subscription products:
Expiry: As long as subscription active
Renew: Automatically with each billing cycle
Revoke: Immediately on cancellation

Licensing products:
Expiry: Match license duration
Example: 1-year license = 365-day download access
Renewal: Extend access with license renewal

Limited releases:
Expiry: Short window (7-14 days)
Reason: Time-sensitive content, scarcity
Example: Event recordings, limited drops

Educational institutions:
Expiry: Semester/term length (120-180 days)
Purpose: Student access during course

Download Limits

Strategic limit configuration:

By product type:

Digital products (PDF, docs):
Limit: 5-10 downloads
Reasoning:
• Multiple devices (phone, tablet, computer)
• Re-download if lost
• Accidental deletions
• Device upgrades

Software/templates:
Limit: 3-5 downloads
Reasoning:
• Typically installed once
• Fewer re-download needs
• Stricter control for commercial use

Media files (video, audio):
Limit: 5-10 downloads
Reasoning:
• Multiple devices
• Streaming vs download
• Backup purposes

Bundles/packs:
Limit: 10-15 downloads
Reasoning:
• Many files to download
• Selective downloads
• Re-access specific files

Unlimited downloads:

When to consider:
☑ Subscription products (ongoing access)
☑ Very low-value items (<$10)
☑ Customer lifetime value important
☑ Minimal piracy risk
☑ Strong customer trust

When to avoid:
❌ High-value products (>$100)
❌ Easy-to-redistribute content
❌ Anonymous/guest checkouts
❌ High fraud risk categories
❌ New shop (no trust established)

Hybrid approach:
• Unlimited for 90 days
• Then reverts to limited (5 downloads)
• Best of both: convenience + protection

IP Tracking and Restrictions

IP tracking:

Configuration:

Settings → Download Security → IP Tracking

☑ Enable IP logging
☑ Alert on multiple IPs (same order)
☑ Restrict to specific countries (optional)
☑ Block known proxy/VPN IPs (optional)

IP tracking benefits:
✓ Detect account sharing
✓ Identify suspicious patterns
✓ Geolocation analysis
✓ Fraud investigation evidence
✓ License compliance enforcement

Example log:

Order #1045 - Customer: john@example.com

Download #1: Jan 15, 3:05 PM
IP: 192.168.1.100 (New York, US)
Device: Chrome on Windows

Download #2: Jan 15, 3:07 PM
IP: 192.168.1.100 (New York, US)
Device: Safari on iPhone
Status: ✓ Normal (same location)

Download #3: Jan 16, 8:22 AM
IP: 45.123.67.89 (London, UK)
Device: Chrome on Windows
Status: ⚠️ Different country - Alert triggered

IP restrictions:

Strict mode (high-value products):
• Lock to first IP address used
• Customer must request IP change
• Manual approval required

Flexible mode (standard):
• Allow 3-5 different IPs
• Alert if exceeded
• Automatic temporary block

Country restrictions:
• Allow specific countries only
• Block high-risk countries
• Comply with licensing restrictions

Example configuration:
Settings → Download Security → IP Restrictions
☑ Max 3 unique IPs per order
☑ Block: Russia, China, Nigeria (example)
☑ Require manual approval for IP change
☐ Strict mode (lock to first IP)

Token Security

Secure token generation:

Token structure:

Secure download token:
Format: 64-character random string
Example: a3f5e8b2c4d6f8a1b3c5d7e9f1a3b5c7d9e1f3a5b7c9d1e3f5a7b9c1d3e5f7a9

Properties:
• Cryptographically random (not predictable)
• Single-use or time-limited
• Tied to customer + order + file
• Cannot be guessed or brute-forced
• Expires after use or timeout

Token validation:
1. Check expiry date
2. Verify not already used (if single-use)
3. Match to customer + order
4. Check download limit not exceeded
5. Verify IP if restrictions enabled
6. Log access attempt

Token generation (technical):

// ✅ GOOD: Secure token generation
import crypto from 'crypto';

function generateDownloadToken() {
  return crypto.randomBytes(32).toString('hex');
  // Result: 64-character hex string
  // Entropy: 256 bits (virtually impossible to guess)
}

function createDownloadLink(order, file, customer) {
  const token = generateDownloadToken();

  // Store in database with metadata
  await prisma.download.create({
    data: {
      token: token,
      orderId: order.id,
      fileId: file.id,
      customerId: customer.id,
      customerEmail: customer.email,
      expiresAt: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000), // 90 days
      downloadLimit: 5,
      downloadCount: 0,
      createdAt: new Date(),
    }
  });

  return `https://yourshop.com/download?token=${token}`;
}

// ❌ BAD: Predictable token (NEVER USE)
function badTokenGeneration(orderId) {
  // Predictable: Can be guessed/enumerated
  return `order-${orderId}-${Date.now()}`;
}

File Protection

Watermarking

Digital watermarking:

Watermark types:

Visible watermarks:
• Text overlay on PDFs
• Customer info + order ID
• Diagonal or footer placement
• Semi-transparent (30-50%)

Use cases:
✓ PDF documents, ebooks
✓ High-value content
✓ Deters casual sharing
✓ Identifies source if leaked

Invisible watermarks:
• Embedded in file metadata
• Not visible to customer
• Forensic identification
• Steganography

Use cases:
✓ Images, audio, video
✓ Professional content
✓ Copyright protection
✓ Legal evidence

Watermark configuration:

Settings:

Settings → Advanced Features → Watermarking

☑ Enable watermarking for PDFs
☑ Include customer information
☑ Include unique order ID

Watermark template:
"Licensed to {customer_name}
Order #{order_number}
Unique ID: {unique_id}
Download Date: {download_date}"

Position: Diagonal across page (every page)
Opacity: 35%
Color: Gray (#808080)
Font: Arial, 12pt

Example result:
"Licensed to John Smith
Order #1045
Unique ID: WM-a3f5e8b2c4
Download Date: Jan 15, 2024"

Watermark effectiveness:

Protection level by content type:

PDF documents:
Effectiveness: High
Reason: Visible deterrent, easy to identify
Limitation: Can be removed with tools

Images:
Effectiveness: Medium-High
Reason: Visible or invisible options
Limitation: Can be cropped or edited

Videos:
Effectiveness: High
Reason: Hard to remove, visible throughout
Limitation: Requires video processing

Audio:
Effectiveness: Medium
Reason: Invisible, forensic identification
Limitation: Compression may remove

Software/templates:
Effectiveness: Low
Reason: Functional code, watermark not applicable
Alternative: License keys, activation

Best practice: Combine watermarking with other protections
• Watermark + Download limits + Expiry + IP tracking = Strong protection

Encryption

File encryption:

Encryption in transit:

HTTPS/TLS everywhere:
☑ All download links use HTTPS
☑ SSL/TLS certificate valid
☑ TLS 1.2 or higher
☑ Strong cipher suites

Benefits:
• Prevents man-in-the-middle attacks
• Encrypts download during transfer
• Protects customer privacy
• Required for PCI compliance

Status check:
Settings → Security → SSL/TLS
Certificate: Valid
Expires: Dec 31, 2025
Grade: A+ (SSL Labs)

Encryption at rest:

Storage encryption:
☑ Cloudflare R2 encryption (AES-256)
☑ Database encryption
☑ Backup encryption

What's encrypted:
• File contents
• Customer data
• Download tokens
• API keys

Automatic: Enabled by default
No action needed: Handled by cloud provider

File-level encryption (advanced):

Use case: Ultra-sensitive content

Process:
1. Customer purchases
2. Server encrypts file with unique key
3. Key derived from customer email + order ID
4. Customer downloads encrypted file
5. Customer receives decryption key separately
6. Customer decrypts file locally

Benefits:
• File useless without key
• Even if file leaked, cannot be opened
• Key tied to specific customer

Drawback:
• Complex customer experience
• Requires decryption software
• Support burden increases

Recommendation: Only for enterprise/B2B high-value content

DRM (Digital Rights Management)

DRM options:

PDF DRM:

Settings → File Protection → PDF DRM

Options:
☑ Prevent printing
☑ Prevent copying/pasting text
☑ Prevent editing
☐ Require password to open
☑ Allow screen reader access (accessibility)

Password protection:
Auto-generate unique password per customer:
• Based on order ID + email
• Sent in email notification
• Cannot be shared easily

Limitations:
• Can be bypassed with tools
• May frustrate legitimate customers
• Balance security vs usability

Advanced DRM:

Third-party DRM services:

Adobe Content Server:
• Enterprise DRM for PDFs
• Device authorization
• Offline reading with limits
• Vendor: Adobe

Apple FairPlay:
• DRM for audio/video
• iTunes ecosystem
• Device limits
• Vendor: Apple

Google Widevine:
• DRM for video streaming
• Browser-based
• Multiple quality levels
• Vendor: Google

When to use:
• Large-scale operations (1,000+ orders/month)
• Very high-value content (>$500)
• Corporate/enterprise customers
• Strong piracy concerns

Cost: $500-$5,000/month
Complexity: High (integration required)

Access Control

Fraud Prevention

Comprehensive fraud prevention:

Fraud detection:

Settings → Fraud Prevention → Configuration

☑ Enable fraud checking (Shopify integration)
☑ Auto-approve low-risk orders
☐ Auto-approve medium-risk orders
☐ Auto-approve high-risk orders
☑ Hold downloads for manual review

Risk assessment factors:
• Shopify fraud analysis score
• AVS (Address Verification System)
• CVV verification
• IP geolocation
• Customer history
• Order value
• Billing/shipping address match

Example:
Order #1045 - $99 purchase
Shopify risk: Low
AVS: Match
CVV: Match
Customer: Repeat buyer
Result: ✓ Auto-approved (instant download)

Order #1046 - $299 purchase
Shopify risk: High
AVS: Mismatch
CVV: Not provided
Customer: First purchase
Result: ⚠️ Held for review (no download yet)

Fraud prevention rules:

Automatic rules:

Rule 1: High-value orders
Condition: Order value > $100
Action: Manual review required
Reason: Reduce chargeback risk

Rule 2: High-risk countries
Condition: IP from [country list]
Action: Manual review required
Reason: High fraud rates historically

Rule 3: Multiple orders same day
Condition: >3 orders same customer, same day
Action: Flag for review
Reason: Potential account takeover

Rule 4: Mismatched locations
Condition: IP country ≠ billing country
Action: Additional verification
Reason: Proxy/VPN usage, stolen card

Rule 5: Disposable email
Condition: Email from temporary email service
Action: Block or require verification
Reason: Anonymous, untraceable

Rule 6: Multiple failed payments
Condition: 3+ failed payment attempts
Action: Block customer temporarily
Reason: Card testing, fraud attempt

Manual review process:

Flagged order workflow:

1. Order held:
   • Customer pays successfully
   • Shopify processes payment
   • Alva holds download access
   • Email: "Order under review"

2. Merchant reviews:
   • Check fraud indicators
   • Verify customer details
   • Contact customer if needed
   • Make decision: approve/reject

3. Decision:
   Approve:
   • Release download access
   • Send download email
   • Customer notified immediately

   Reject:
   • Refund payment
   • Revoke access
   • Email customer (optional explanation)
   • Log incident

4. Timeline:
   • Goal: Review within 24 hours
   • Notify customer of delay
   • Apologize for inconvenience
   • Offer discount if delayed >48 hours

Customer Authentication

Verify customer identity:

Download page authentication:

Options:

1. Email verification (default):
   • Customer enters email at download page
   • Must match order email
   • Simple, no password needed

2. Order number + email:
   • Customer enters both
   • More secure than email alone
   • Good for guest checkouts

3. Customer account login:
   • Customer logs into Shopify account
   • Strongest authentication
   • Best for repeat customers
   • Requires customer accounts enabled

4. Magic link:
   • Email with unique link
   • Link expires after 24 hours
   • No password needed
   • One-click access

Recommendation: Start with email verification, upgrade to account login for high-value shops

Multi-factor authentication (advanced):

For very high-value products (>$500):

Two-factor process:
1. Customer provides email
2. Email sent with 6-digit code
3. Customer enters code at download page
4. Code expires after 10 minutes

SMS verification:
1. Customer provides phone number
2. SMS with verification code
3. Enter code to access downloads

Benefits:
• Prevents unauthorized access
• Even if email compromised
• Strong identity verification

Drawback:
• Extra friction
• Customer frustration
• Support burden

Use sparingly: Only for truly high-risk scenarios

Data Security

Customer Data Protection

Data handling:

Data collected:

Essential data (required):
• Name
• Email address
• Order ID
• Purchase date
• IP address (for security)
• Download activity logs

Optional data (for analytics):
• Billing address
• Customer company
• Device/browser info
• Geolocation

Never collected:
❌ Payment card details (Shopify handles)
❌ Social security numbers
❌ Passwords (if using Shopify accounts)
❌ Biometric data

Data retention:

Retention policy:

Active orders:
Retention: Lifetime of download access
Reason: Need to verify and serve downloads

Expired downloads:
Retention: 90 days after expiry
Reason: Grace period for customer requests
Then: Archive or delete

Cancelled/refunded orders:
Retention: 30 days
Reason: Handle disputes, chargebacks
Then: Delete

Download logs:
Retention: 1 year
Reason: Fraud investigation, analytics
Then: Anonymize or delete

Customer accounts (deleted):
Retention: Immediate deletion
Reason: GDPR compliance, customer request
Exception: Keep order history (anonymized)

Settings:

Settings → Privacy → Data Retention

Default retention: 365 days
Delete expired downloads: After 90 days
Anonymize logs: After 1 year
Honor deletion requests: Within 30 days

☑ Automatic deletion of old data
☑ Email customer before deletion
☑ Allow customer to extend access

European customer data:

GDPR requirements:

Mandatory features:

1. Data access requests:
   • Customer can request all data
   • Provide within 30 days
   • Machine-readable format (JSON, CSV)

2. Right to deletion:
   • Customer can request deletion
   • Delete within 30 days
   • Exceptions: Legal obligations, disputes

3. Data portability:
   • Export customer data
   • Transfer to another service
   • JSON or CSV format

4. Consent management:
   • Explicit opt-in for marketing
   • Separate from transaction emails
   • Easy opt-out mechanism

5. Privacy policy:
   • Clear explanation of data use
   • Updated regularly
   • Linked in emails and download pages

6. Data breach notification:
   • Notify customers within 72 hours
   • Explain impact and remediation
   • Report to authorities if required

GDPR implementation:

Settings → Privacy → GDPR

☑ GDPR mode enabled for EU customers
☑ Cookie consent banner
☑ Privacy policy link in footer
☑ Data export function
☑ Data deletion function
☑ Breach notification procedures

Customer data request process:
1. Customer submits request (email or form)
2. Verify customer identity
3. Generate data export (automated)
4. Email export file to customer
5. Log request for audit trail

Timeline: Within 30 days (typically 3-5 days)

Backups and Recovery

Data backup strategy:

Backup schedule:

Database backups:
Frequency: Daily (automated)
Retention: 30 daily, 12 monthly
Storage: Encrypted, off-site (different region)
Tested: Monthly restore test

File storage backups:
Frequency: Weekly (automated)
Retention: 4 weekly, 12 monthly
Storage: Cloudflare R2 versioning enabled
Tested: Quarterly restore test

Configuration backups:
Frequency: On change (automated)
Retention: 90 days
Storage: Git repository
Tested: As needed

Disaster recovery:

Recovery scenarios:

1. Database corruption:
   • Restore from last daily backup
   • RTO (Recovery Time Objective): 1 hour
   • RPO (Recovery Point Objective): 24 hours max

2. File storage failure:
   • Restore from weekly backup
   • RTO: 4 hours
   • RPO: 7 days max

3. Complete system failure:
   • Restore on new infrastructure
   • RTO: 24 hours
   • RPO: 24 hours

4. Ransomware attack:
   • Isolate affected systems
   • Restore from clean backups
   • RTO: 48 hours
   • RPO: 24 hours

Testing: Quarterly disaster recovery drill

API and Webhook Security

API Key Management

Secure API keys:

API key security:

Best practices:

1. Never commit keys to Git:
   ❌ BAD: API_KEY="abc123" in code
   ✅ GOOD: API_KEY from environment variable

2. Rotate keys regularly:
   • Every 90 days (quarterly)
   • Immediately if compromised
   • Document rotation date

3. Use separate keys per environment:
   • Development: dev-api-key-xyz
   • Staging: staging-api-key-abc
   • Production: prod-api-key-def

4. Limit key permissions:
   • Read-only for analytics
   • Write access only where needed
   • Never full admin access

5. Monitor key usage:
   • Log all API calls
   • Alert on unusual patterns
   • Revoke unused keys

6. Store securely:
   • Environment variables (server)
   • Secure vault (1Password, Vault)
   • Never in client-side code

Key rotation procedure:

Quarterly rotation:

1. Generate new key:
   Settings → API → Keys → Generate New

2. Update environment:
   Production: Update NEW_API_KEY variable
   Keep OLD_API_KEY active temporarily

3. Test with new key:
   Run integration tests
   Monitor for errors

4. Switch to new key:
   Set NEW_API_KEY as primary
   Monitor for 24 hours

5. Revoke old key:
   After 24 hours, revoke OLD_API_KEY
   Monitor for any failures

6. Document:
   Log rotation date
   Update documentation
   Notify team

Compromised key rotation: Immediate, skip grace period

Webhook Security

Verify webhook authenticity:

HMAC verification:

// ✅ GOOD: Always verify webhook signatures
import crypto from 'crypto';

function verifyWebhookSignature(body, signature, secret) {
  // Generate HMAC with webhook secret
  const hmac = crypto
    .createHmac('sha256', secret)
    .update(body, 'utf8')
    .digest('base64');

  // Compare signatures (timing-safe comparison)
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(hmac)
  );
}

// Webhook handler
app.post('/webhooks/orders/paid', async (req, res) => {
  const signature = req.headers['x-shopify-hmac-sha256'];
  const body = req.body;

  // Verify signature
  if (!verifyWebhookSignature(JSON.stringify(body), signature, process.env.SHOPIFY_WEBHOOK_SECRET)) {
    console.error('Invalid webhook signature');
    return res.status(401).send('Unauthorized');
  }

  // Signature valid: process webhook
  await processOrder(body);
  res.status(200).send('OK');
});

// ❌ BAD: No verification (NEVER DO THIS)
app.post('/webhooks/orders/paid', async (req, res) => {
  // Anyone can send fake webhooks!
  await processOrder(req.body);
  res.status(200).send('OK');
});

Webhook security checklist:

☑ HMAC signature verification
☑ HTTPS only (no HTTP)
☑ Webhook secret stored securely
☑ Rate limiting on webhook endpoint
☑ Log all webhook attempts
☑ Alert on verification failures
☑ Idempotency (handle duplicates)
☑ Timeout handling (respond within 5s)

Common attacks prevented:
• Replay attacks (duplicate webhooks)
• Man-in-the-middle (HTTPS)
• Forged webhooks (HMAC)
• DDoS (rate limiting)

Rate Limiting

Protect against abuse:

Rate limit implementation:

API rate limits:

Public API (no auth):
• 60 requests/hour per IP
• Burst: 10 requests/minute
• Block: 1 hour after exceeded

Authenticated API:
• 1,000 requests/hour per API key
• Burst: 100 requests/minute
• Block: 10 minutes after exceeded

Admin API:
• 5,000 requests/hour per key
• Burst: 500 requests/minute
• Throttle: Slow down if exceeded

Download endpoints:
• 10 downloads/minute per token
• 100 downloads/hour per IP
• Block: Suspicious patterns

Rate limit responses:

HTTP 429 Too Many Requests

Headers:
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1709856000
Retry-After: 3600

Body:
{
  "error": "Rate limit exceeded",
  "message": "Too many requests. Please try again in 1 hour.",
  "limit": 1000,
  "reset": "2024-03-08T10:00:00Z"
}

Client handling:
1. Check X-RateLimit-Remaining header
2. If low, slow down requests
3. If 429 response, wait for Retry-After
4. Implement exponential backoff

Monitoring and Detection

Security Monitoring

What to monitor:

Key security metrics:

Access patterns:
• Failed authentication attempts
• Multiple downloads from different IPs
• Rapid successive downloads
• Access to expired links
• Geographic anomalies

Red flags:
⚠️ >5 failed auth attempts (1 hour)
⚠️ Downloads from >5 IPs (same order)
⚠️ 10+ downloads within 1 minute
⚠️ Access attempts after expiry
⚠️ VPN/proxy IP usage

Fraud indicators:
• High-risk country orders
• Mismatched billing/shipping
• Multiple orders same card
• Chargebacks
• Refund rate spikes

Log analysis:

Download logs:
Settings → Logs → Download Activity

Filter: Suspicious activity
Date range: Last 7 days

Results:
Order #1045:
✓ 3 downloads, 2 IPs (normal)

Order #1046:
⚠️ 8 downloads, 6 different IPs
⚠️ IPs from US, UK, AU, DE, BR, IN
🚨 Alert: Possible account sharing

Action:
1. Review customer account
2. Check watermark IDs (if enabled)
3. Contact customer
4. Revoke access if confirmed abuse
5. Apply download limit

Investigation:
• Customer may have shared link
• Or: Customer using VPN/travel
• Verify before taking action

Alerting

Automated alerts:

Alert configuration:

Settings → Security → Alerts

Critical alerts (immediate):
☑ Multiple IPs exceed threshold
☑ Unusual download volume spike
☑ Access to revoked downloads
☑ Failed authentication >10/hour
☑ API key leaked (GitHub, public)

Notification:
• Email: security@yourshop.com
• SMS: [Your phone]
• Slack: #security-alerts

Warning alerts (daily digest):
☑ Medium-risk fraud orders
☑ Downloads near limit
☑ IP from high-risk country
☑ VPN/proxy usage
☑ Expired link access attempts

Notification:
• Email: Daily summary at 9 AM

Alert response:

Alert: Multiple IPs detected
Order: #1046
Customer: john@example.com
Downloads: 8 from 6 IPs
Time span: 2 hours

Response procedure:
1. Immediate: Temporarily suspend access
2. Investigate:
   • Review download IPs
   • Check customer history
   • Look for watermark sharing evidence
   • Contact customer

3. Resolution:
   Legitimate (traveling, VPN):
   • Restore access
   • Add note to customer record
   • Adjust alert threshold

   Abuse (sharing):
   • Keep access suspended
   • Send warning email
   • Offer to re-enable with lower limit
   • Document incident

   Fraud (stolen account):
   • Permanently revoke access
   • Refund customer
   • Report to Shopify
   • Update fraud rules

Incident Response

Breach Detection

Identify security incidents:

Incident types:

Type 1: Unauthorized access
Signs:
• Customer complains of unknown downloads
• Unusual IP addresses in logs
• Multiple simultaneous downloads

Type 2: Content leak
Signs:
• Content found on piracy site
• Customer reports shared link
• Watermark traced to source

Type 3: Data breach
Signs:
• Unauthorized database access
• Customer data exposed
• Suspicious outbound traffic

Type 4: Account takeover
Signs:
• Password reset requests spike
• Login attempts from unusual locations
• Customer complaints about unauthorized orders

Type 5: API abuse
Signs:
• Rate limit exceeded frequently
• Unusual API patterns
• Scraping behavior detected

Investigation Procedure

Incident investigation:

Investigation steps:

1. Detect and confirm:
   • Alert triggered or customer reports
   • Verify incident is real (not false positive)
   • Classify severity: Critical/High/Medium/Low
   • Estimate impact: Customers affected, data exposed

2. Contain:
   • Suspend affected accounts/downloads
   • Revoke compromised API keys
   • Block malicious IPs
   • Isolate affected systems
   • Stop spread of breach

3. Investigate root cause:
   • Review logs (access, API, download)
   • Identify vulnerability exploited
   • Timeline of incident
   • Scope of compromise

4. Remediate:
   • Fix vulnerability
   • Rotate credentials
   • Apply security patches
   • Update security rules

5. Recovery:
   • Restore normal operations
   • Verify systems secure
   • Monitor for recurrence
   • Notify affected customers

6. Post-incident:
   • Document incident report
   • Update security procedures
   • Train team on prevention
   • Implement additional controls

Example investigation:

Incident: Content found on piracy site

1. Detect:
   • Customer reports ebook on Torrent site
   • Date: Jan 15, 2024
   • Verified: File matches product

2. Identify source:
   • Check watermark on leaked file
   • Watermark ID: WM-a3f5e8b2c4
   • Traced to: Order #1046, john.doe@example.com
   • Order date: Jan 10, 2024

3. Review customer activity:
   • Downloads: 5 times
   • IPs: 3 different (US, UK, Germany)
   • Pattern: Rapid downloads within 1 hour
   • Assessment: Likely shared or sold access

4. Contain:
   • Revoke download access immediately
   • Contact customer via email
   • Request removal from piracy site
   • Document evidence

5. Remediate:
   • Strengthen watermarking
   • Reduce download limits (10 → 5)
   • Enable stricter IP tracking
   • Update terms of service

6. Legal action (if warranted):
   • Send cease & desist
   • DMCA takedown notice to piracy site
   • Report to authorities if large-scale
   • Consult with attorney

Customer Notification

When to notify customers:

Notification requirements:

Mandatory notification:

Data breach:
• Customer data exposed
• Payment information at risk
• Account credentials compromised
Timeline: Within 72 hours (GDPR requirement)

Optional notification:

Security improvement:
• New security features added
• Password reset recommended
• Terms of service updated
Timeline: Next email communication

Do not notify:

Internal security issues:
• Server misconfiguration fixed
• API key rotation (routine)
• False positive alerts
• Suspected but unconfirmed incidents

Notification template:

Subject: Important Security Update for Your Account

Dear [Customer Name],

We are writing to inform you of a security incident that may have affected your account.

What happened:
[Brief description of incident]

What information was involved:
[List of data types potentially exposed]

What we're doing:
• [Actions taken to secure systems]
• [Steps to prevent recurrence]
• [Additional security measures implemented]

What you should do:
1. [Immediate action required, if any]
2. [Recommended security steps]
3. [How to contact support]

We take security seriously and sincerely apologize for this incident. Your trust is important to us, and we are committed to protecting your data.

If you have questions, please contact us at security@yourshop.com or [Support Phone].

Sincerely,
[Your Shop] Security Team

---
Additional resources:
• [Link to detailed FAQ]
• [Link to security blog post]
• [Link to updated privacy policy]

Staff Access Control

Team Permissions

Limit staff access:

Role-based access control:

Roles:

Owner (full access):
• All settings and data
• Financial information
• API keys and security
• User management
Assign: Business owner only

Admin (most access):
• Product management
• Order management
• Customer support
• File uploads
• No access: API keys, billing
Assign: Trusted staff, managers

Staff (limited access):
• View orders
• Process refunds
• Customer messages
• No access: Settings, files, billing
Assign: Support team, fulfillment

Developer (technical access):
• API access
• Webhook management
• App settings
• No access: Financial data, customer PII
Assign: External developers, contractors

Staff security practices:

Requirements:

☑ Unique accounts (no sharing)
☑ Strong passwords (12+ characters)
☑ Two-factor authentication enabled
☑ Regular access review (quarterly)
☑ Immediate revocation on termination
☑ Activity logging and auditing

Staff training:
• Security awareness training (annual)
• Phishing test exercises
• Data handling procedures
• Incident reporting process

Monitoring:
• Log all staff actions
• Alert on sensitive operations
• Review access logs monthly
• Audit permissions quarterly

Security Audits

Regular Security Reviews

Audit schedule:

Monthly audits:

Checklist:
☐ Review access logs for anomalies
☐ Check failed authentication attempts
☐ Review fraud prevention effectiveness
☐ Verify backups completing successfully
☐ Update software/dependencies
☐ Review API key usage
☐ Check SSL certificate expiry
☐ Monitor security alerts

Time: 1-2 hours
Responsible: Store owner or admin
Document: Audit log with findings

Quarterly audits:

Checklist:
☐ Full security settings review
☐ Staff access permissions audit
☐ Data retention compliance check
☐ GDPR compliance verification
☐ Test disaster recovery procedures
☐ Review and update security policies
☐ Penetration test (if high-value)
☐ Third-party security scan

Time: 4-8 hours
Responsible: Owner or security consultant
Document: Comprehensive audit report

Annual audits:

Comprehensive review:
☐ Full penetration testing
☐ Code security review
☐ Infrastructure security assessment
☐ Compliance certification (if required)
☐ Privacy policy update
☐ Terms of service review
☐ Incident response plan test
☐ Staff security training
☐ Vendor security assessment

Consider hiring:
• Security consultant
• Penetration testing firm
• Compliance auditor

Cost: $2,000-$10,000+ depending on scope
Benefit: Identify vulnerabilities before exploited

Third-Party Security

Vendor security:

Evaluate vendors:

Before integrating third-party services:

Security questionnaire:
☐ How is data encrypted?
☐ Where is data stored (region)?
☐ Who has access to data?
☐ What are backup procedures?
☐ Is service SOC 2 compliant?
☐ What is incident response process?
☐ How often are security audits performed?
☐ What is uptime SLA?

Red flags:
❌ No encryption
❌ Unclear data storage location
❌ No compliance certifications
❌ Poor security track record
❌ No incident response plan
❌ Vague answers to security questions

Trusted vendors (examples):
✓ Shopify (platform)
✓ Cloudflare (CDN, security)
✓ Postmark (email)
✓ Stripe (payments)
✓ All have strong security practices

Customer Education

Security Guidelines for Customers

Educate customers:

Download page security tips:

Display on download page:

Security Tips:
✓ Download files immediately after purchase
✓ Store downloads in secure location
✓ Do not share download links
✓ Links are for your personal use only
✓ Content is watermarked with your info
✓ Unauthorized sharing may result in legal action

License reminder:
"This content is licensed to you for personal use.
Sharing, reselling, or distributing this content
violates our Terms of Service and may result in
legal action."

Report piracy:
"If you find this content shared online, please report it:
security@yourshop.com - Reward: 10% off next purchase"

Email communication:

Include in order confirmation email:

Security reminder:
"Your download link is personal and should not be shared.
It is watermarked with your information and tracked for security."

Encourage reporting:
"Help us protect content creators. If you see our products
shared without authorization, let us know."

Terms reminder:
"By downloading, you agree to our Terms of Service: [Link]"