SECURITY

Last Updated: March 2024

How We Respond to Security Incidents

Welcome to Softify OÜ! By signing up for one of the applications created by Softify OÜ or by using any of the services offered by Softify OÜ, you are agreeing to be bound by the following conditions.

Softify OÜ provides a complete invoicing platform that enables Shopify merchants to unify their invoicing activities. Among other features, this platform includes a range of tools for merchants to create and customize various document types like invoices, packing slips, credit notes, return labels, and shipping labels. Drag & Drop designer can also be used to create any kind of document type. Any new features or tools which are added to the current Services will also be subject to this document.

Softify OÜ also provides an AI-powered personalization platform that marketers and e-commerce professionals use to deliver personalized shopping experiences across the web, and mobile without any technical knowledge. Any new features or tools which are added to the current Services will also be subject to this document.

We reserve the right, from time to time, to modify, amend or restate this document or any other terms, rules, or conditions that are published on this website or on our applications. We will take reasonable steps to attempt to notify you of such amendments but you agree that such notice is not required and waive any right to dispute any term of the Agreement due to a prior amendment and/or failure to receive adequate notice. If you do not agree to, or cannot comply with, the terms as amended, you are not authorized to use our applications. You will be deemed to have accepted the terms as amended if you continue to use our applications after any amendments are posted on our applications and/or the company website. We reserve the right to refuse to provide services or products, to anyone at any time.

These terms are a legally binding contract between you and Softify OÜ (collectively, “Softify”, "Softify Apps", "Easy Invoice+", "Easy Upsell & Cross Sell+" “we,” or “us”) regarding your use of our applications and services. Please read these terms carefully, and keep a copy of them for your reference if possible. In this Agreement, "you," "your", "merchant", "store owner", "Shopify user" and "Customer" will refer to you. If you are visiting, using, or registering for any Softify OÜ application or service on behalf of an entity or other organization, you are agreeing to these Terms for that entity or organization and representing to Softify OÜ that you have the authority to bind that entity or organization to these Terms (and, in which case, the terms "you," "your", "merchant", "store owner", "Shopify user" and "Customer" will refer to that entity or organization).

Policy Statement

The purpose of this policy is to clearly define Softify roles and responsibilities for the investigation and response to computer security incidents and Data Breaches.

Applicability

This policy covers all information systems that handle Softify Data, regardless of who owns or operates them, and wherever they are located. It also applies to all personnel, including employees responsible for security incident response, Merchants using the Application, contractors, and anyone else who is authorized to access Softify's assets and information resources.

Definitions

  • The Computer Security Incident Response Team (CSIRT) is a component of the Information Security Office, tasked with the duty of receiving, analyzing, and organizing the response to reports of computer security incidents, as well as activities that involve Softify Data and/or Information Systems.
  • A data breach refers to the unauthorized access, acquisition, use, or disclosure of Restricted Data. When a data breach occurs, Softify must conduct a private investigation and risk assessment to determine the scope and impact of the breach. In addition, Softify must comply with regulatory requirements regarding data breach notifications.
  • An incident refers to any event, whether physical, social, or electronic, that negatively affects the confidentiality, integrity, or availability of Softify's data or information systems. It can also refer to any actual or suspected activity that violates Softify's privacy policies or terms and conditions.
  • An information system is a combination of hardware, software, and networking components that are used together to perform a specific business function. This can include any individual computer or device, as well as larger systems that involve multiple machines working together, such as a server or a network of interconnected devices. The purpose of an information system is to process, store, and transmit data and information, and it can include both physical and virtual components. Examples of information systems include databases, websites, email systems, and enterprise resource planning (ERP) software.

Policy Specifics

  • The Computer Security Incident Response Team (CSIRT) is responsible for detecting and investigating security events to determine whether an incident has occurred. In the event of an incident, the CSIRT determines the extent, cause, and damage caused by the incident through a thorough investigation.
  • The CSIRT is responsible for directing the recovery, containment, and remediation of security incidents. This includes authorizing and facilitating necessary changes to information systems to address security incidents. Additionally, the CSIRT coordinates incident response efforts with external parties in cases where existing agreements stipulate that the external party is responsible for incident investigations. The team works closely with other stakeholders within Softify to ensure that security incidents are handled efficiently and effectively.
  • As part of security incident investigations, the CSIRT is authorized to monitor Softify's IT resources and retrieve communications and relevant records of specific Softify Application users, including login session data and communication content, without notice or further approval. This is done in compliance with the Monitoring of IT Resources Policy.
  • Any external disclosure of information regarding information security incidents must undergo a review and approval process by the Softify Chief Information Officer (CIO), in consultation with relevant parties.
  • The CSIRT plays a crucial role in collaborating with law enforcement, government agencies, peer CSIRTs, and relevant Information Sharing and Analysis Centers (ISACs) to identify and investigate security incidents. As part of this process, the CSIRT is authorized to share information related to external threats and incidents with these organizations, provided that such information does not identify any member of the Softify Application. This collaboration is essential in the identification and prevention of security incidents and helps to ensure the security of Softify's information systems and data.

Review and Adjudication

  • All individuals who have access to Softify Data or information systems are required to report any security incident involving such assets to Softify support department (support@softify.co) immediately, regardless of whether they played a role in the incident. It is important that they cooperate with any investigation related to the incident and not interfere, obstruct, prevent, retaliate against or dissuade others from reporting an incident or participating in an investigation.
  • Information Security Administrators (ISAs) are responsible for developing and implementing unit-specific procedures to educate users on how to identify and report information security incidents promptly. They are also responsible for ensuring that all personnel within their respective units are adequately trained on information security policies and procedures.
  • Information Security Managers (ISMs) are accountable for reacting to and periodically documenting Low Severity security incidents based on protocols specified by the Information Security Office. If ISMs report or discover High Severity incidents, they must promptly notify the Computer Security Incident Response Team (CSIRT).
  • The Computer Security Incident Response Team (CSIRT) is tasked with responding to High Severity incidents in accordance with the procedures set forth in the Softify Computer Security Incident Response Plan. The CSIRT is responsible for coordinating the containment, recovery, and remediation of security incidents, as well as authorizing and expediting any changes to information systems necessary to carry out these activities. Additionally, the CSIRT is authorized to monitor relevant Softify IT resources and retrieve communications and other records of specific users in the course of conducting investigations.
  • The Chief Information Security Officer is responsible for ensuring that the Computer Security Incident Response Team (CSIRT) is adequately staffed. The CSIRT may be augmented with subject matter experts and/or surge staffing as necessary to effectively respond to security incidents.

Policy Violations

Non-compliance with this policy may lead to disciplinary action for employees, up to and including termination. Additionally, merchants may have their membership terminated if found in violation of this policy.

Compliance

Softify policies are designed to comply with various compliance standards. These standards provide guidelines on how organizations should safeguard personally identifiable information (PII) and other sensitive data.