Bloom stores no personally identifiable information about shoppers - Notify Me sign-ups pass straight to your Klaviyo account and are never persisted. See Data and privacy. Most incidents therefore involve shop configuration or service availability, not a personal-data breach.
Severity scale
Every incident gets a severity on first triage. It sets the response speed and who gets pulled in.- Critical. Active unauthorised access to production, confirmed exposure of merchant or shopper data, or a full outage of the Bloom service. Response starts immediately, day or night.
- High. A likely breach not yet confirmed, a compromised credential, or a partial outage affecting many stores. Response within hours.
- Medium. A contained issue affecting one store or a single component, with no data exposure. Response within one business day.
- Low. A near-miss, a minor misconfiguration, or a vulnerability report with no active exploitation. Logged and scheduled.
Roles and responsibilities
Good Native is a small team. One person owns the incident end to end.- Incident lead. The founder, or their delegate, takes the lead on any High or Critical incident. They own triage, decisions, the timeline, and all external notifications. Every incident has exactly one lead.
- Responders. Anyone else pulled in to contain, investigate, or remediate. They report to the lead and don’t notify outside parties on their own.
- Communications. The lead handles all contact with Shopify, merchants, and processors. One voice avoids mixed messages.
Detection and evidence
We spot incidents from these sources:- Sentry. Error and exception monitoring across the Bloom Workers. Spikes or new error classes trigger review.
- Cloudflare. Worker logs, Analytics Engine, and WAF / firewall events for the app’s infrastructure.
- Shopify. Partner Dashboard activity, app install / uninstall events, and webhook delivery failures.
- Reports. A merchant, a shopper, Shopify, or a security researcher reporting something directly.
- Export the relevant Cloudflare logs and Sentry issues for the affected window.
- Screenshot or export Shopify Partner activity and any merchant-reported detail.
- Record timestamps in UTC, the accounts involved, and what was accessed or changed.
- Don’t delete logs, rotate away evidence, or redeploy over the affected state until it’s captured.
Response steps
Work the incident in order. The lead records each step with a timestamp.- Contain. Stop the bleeding. Rotate compromised credentials and API tokens, disable the affected Worker route or feature, or block the source at Cloudflare. Containment beats a clean fix.
- Investigate. Using the preserved evidence, establish what happened, what was accessed, which stores are affected, and the root cause. Confirm or revise the severity.
- Remediate. Fix the root cause - patch the code, close the misconfiguration, revoke the access. Verify the fix in production.
- Recover. Restore normal service, confirm monitoring is clean, and watch for recurrence. Re-issue any credentials that were rotated.
Breach notification
Notification is the lead’s call and starts as soon as a breach is confirmed - in parallel with containment, not after recovery.- Shopify. Report any incident involving Shopify or merchant data to Shopify without undue delay, as required by the Partner Program Agreement and API Licence. Use the Partner Dashboard or
partners@shopify.com. - Affected merchants. Notify any merchant whose store or data is affected without undue delay. State what happened, what was affected, and what they need to do.
- Supervisory authority (GDPR). If an incident is a personal-data breach likely to risk individuals’ rights, notify the relevant supervisory authority within 72 hours of becoming aware. Notify affected individuals if the risk is high.
- Processors. Loop in Cloudflare or Klaviyo if the incident originates in or affects their platform.
Because Bloom holds no shopper PII, GDPR breach-notification duties rarely apply. The 72-hour clock only starts for a confirmed personal-data breach.
Post-incident review
Within one week of resolving any High or Critical incident, the lead runs a review. It’s blameless - the goal is a better system, not blame.- Timeline. What happened, when, and how we responded.
- Root cause. Why it happened, not just what broke.
- Actions. Concrete fixes with an owner and a date - monitoring gaps, missing alerts, process changes.
- Policy. Update this page if the incident exposed a gap in it.
