Security Policy

Wizard Labs (Wizard Labs, “we”, “us”, “our” and terms of similar meaning) operates the website hosted at the wizardlabs.cloud domain and all associated subdomains (the “Website”), as well as the services provided by the Website (the “Service”) in compliance with these terms and conditions of use.

Before you install our app on your store, you must read, understand and agree the terms stated here, and by using the Service you become legally bound by them.

The Service is an online invoicing software for Shopify stores. It is a mobile-compatible web application that allows the design and creation of invoices, packing slips, credit notes, and other document types. The Service is based on the SaaS (software as a service) model and requires a subscription.

Policy Statement

The goal of this policy is to outline Wizard Labs's responsibilities for identifying, investigating and addressing security incidents and data breaches. It establishes a clear understanding of their roles and procedures for handling such incidents.

Applicability

This policy applies to all information systems, whether they are owned by Wizard Labs or not, that are used to store, process, transmit or access Wizard Labs's data. It also applies to all personnel including employees, merchants of the application, contracted entities, and any other authorized individuals who have access to Wizard Labs's assets and information resources.

Definitions

  • The Computer Security Incident Response Team (CSIRT) is a part of the Information Security Office responsible for handling reports of computer security incidents and activity involving Wizard Labs's data and/or information systems. They are responsible for receiving, reviewing and coordinating the response to these incidents.
  • A Data Breach is the unauthorized access, acquisition, use, or disclosure of restricted data. Data breach notifications are subject to regulatory requirements following a private investigation and risk assessment.
  • An Incident is an event, whether electronic, physical, or social that negatively impacts the confidentiality, integrity, or availability of Wizard Labs's data or information systems, or a real or suspected action that is inconsistent with Wizard Labs's privacy or terms and conditions.
  • An Information System is an individual or collection of computing and networking equipment and software used to perform a specific business function.

Specifics

The Computer Security Incident Response Team (CSIRT) is responsible for identifying and investigating security events to determine if an incident has occurred and the extent, cause, and damage of the incident. The CSIRT is responsible for directing the recovery, containment, and remediation of security incidents and may authorize and expedite changes to information systems necessary to do so. They also coordinate responses with external parties when existing agreements place responsibility for incident investigations on the external party. During security incident investigations, the CSIRT is authorized to monitor relevant Wizard Labs IT resources and retrieve communications and other relevant records of specific users of the Wizard Labs Application, including login session data and the content of individual communications without notice or further approval and in compliance with the Monitoring of IT Resources Policy. Any external disclosure of information regarding information security incidents must be reviewed and approved by the Wizard Labs CIO in consultation. The CSIRT coordinates with law enforcement, government agencies, peer CSIRTs, and relevant Information Sharing and Analysis Centers (ISACs) in the identification and investigation of security incidents. The CSIRT is authorized to share external threat and incident information with these organizations that do not identify any member of the Wizard Labs Application.

Review and Adjudication

All members of the Wizard Labs Application are responsible for promptly reporting any suspected or confirmed security incident involving Wizard Labs Data or an associated information system, even if they have contributed in some way to the event or incident. Reports should be made to the Wizard Labs support department (helpwizard@wizardlabs.cloud) and members of the Wizard Labs Application must cooperate with incident investigations, and may not interfere, obstruct, prevent, retaliate against, or discourage others from reporting an incident or cooperating with an investigation. Information Security Administrators (ISAs) are responsible for training users to recognize and report information security incidents. Information Security Managers (ISMs) are responsible for responding to and periodically reporting on Low Severity security incidents according to procedures established by the Information Security Office. High Severity incidents reported to or discovered by ISMs should be promptly reported to the Computer Security Incident Response Team (CSIRT). The Computer Security Incident Response Team (CSIRT) is responsible for responding to High Severity incidents according to procedures established in the Wizard Labs Computer Security Incident Response Plan. The Chief Information Security Officer is responsible for staffing the CSIRT and augmenting staff with subject matter experts and/or surge staffing as necessary.

Violations and Compliance

Wizard Labs's policies may comply with standards set by some regulators, such as the Payment Card Industry Data Security Standard (PCI DSS), US data privacy laws, European Union General Data Protection Regulation (GDPR), and the United Kingdom data protection laws. These standards provide guidelines on how to secure personally identifiable information (PII) and other sensitive data. Any failure to comply with this policy could result in disciplinary action for employees, including termination. Merchants could also have their merchant membership terminated.

Updated at: October 2024