Data Loss Prevention (DLP) Policy

Lecxa Pty Ltd - Data Loss Prevention (DLP) Policy

Last Updated: August 29, 2025
Policy Owner: Luke Howard
1.0 Purpose and Scope
The purpose of this Data Loss Prevention (DLP) Policy is to establish a framework of controls and procedures to prevent the unauthorized disclosure, exfiltration, or leakage of sensitive company and customer data.
This policy applies to all systems that process or store Restricted data and to all personnel who have access to such data.
2.0 Data Classification
This policy is primarily concerned with protecting Restricted data. We follow the data classification scheme defined in our main Internal Data Handling Policy, where all Shopify Protected Customer Data is classified as Restricted.
3.0 Access Control Strategy
Our primary strategy for preventing data loss is a strict adherence to the Principle of Least Privilege. Access to Restricted data is granted on a need-to-know basis only and is enforced through technical controls.
Our access control model is technically enforced via:
  • Role-Based Access Control (RBAC): Staff members are assigned roles (e.g., Administrator, Support Agent) with defined permissions.
  • Row-Level Security (RLS): We use Supabase's Row-Level Security on all database tables containing Restricted data. RLS policies ensure that even authenticated staff members can only read or modify the specific slice of data absolutely necessary for their job function, effectively preventing mass data exfiltration.
3.1 Authentication Security
All staff members must use a strong, unique password for any development or platform accounts, with a minimum length of 32 characters. Staff should utalise some form of password management software and rotate passwords every 6 months or if a breach occurs.
Furthermore, Multi-Factor Authentication (MFA) is mandatory where applicable/accesible and must be enabled for all staff accounts.
 
4.0 Technical Controls for DLP
In addition to our access control strategy, the following technical controls are in place to prevent data loss:
  • Encryption: All Restricted data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Mandatory MFA: Multi-Factor Authentication is enforced for all staff accounts with access to our backend systems, including the Supabase dashboard.
  • Access Logging: An immutable audit log is maintained for all access and modifications to tables containing Restricted data.
  • Environment Segregation: Production data is strictly isolated and is never used in non-production (development, testing) environments.
5.0 Policy Review
This policy will be reviewed annually by the Policy Owner to ensure it remains effective and relevant.