Data Loss Prevention (DLP) Policy

Lecxa Pty Ltd - Data Loss Prevention (DLP) Policy

Last Updated: December 1, 2025
1.0 Purpose and Scope
The purpose of this Data Loss Prevention (DLP) Policy is to establish a framework of controls and procedures to prevent the unauthorized disclosure, exfiltration, or leakage of sensitive company and customer data.
This policy applies to all systems that process or store Restricted data and to all personnel who have access to such data.
2.0 Data Classification
This policy is primarily concerned with protecting Restricted data. We follow the data classification scheme defined in our main Internal Data Handling Policy, where all Shopify Protected Customer Data is classified as Restricted.
3.0 Access Control Strategy
Our primary strategy for preventing data loss is a strict adherence to the Principle of Least Privilege. Access to Restricted data is granted on a need-to-know basis only and is enforced through technical controls.
Our access control model is technically enforced via:
  • Role-Based Access Control (RBAC): Staff members are assigned roles (e.g., Administrator, Support Agent) with defined permissions.
  • Row-Level Security (RLS): We use Supabase's Row-Level Security on all database tables containing Restricted data. RLS policies ensure that even authenticated staff members can only read or modify the specific slice of data absolutely necessary for their job function, effectively preventing mass data exfiltration.
3.1 Authentication Security
All staff must use a strong, unique password for all development, administration, and platform accounts. Passwords should be generated using a password manager and be at least 16 characters in length, or equivalent strength.
Password rotation is required if a compromise is suspected or the password may have been exposed.
Multi-Factor Authentication (MFA) is enabled where applicable for all staff accounts.
 
4.0 Technical Controls for DLP
In addition to our access control strategy, the following technical controls are in place to prevent data loss:
  • Encryption: All Restricted data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Access Logging: An immutable audit log is maintained for all access and modifications to tables containing Restricted data.
  • Environment Segregation: Production and non-production environments are logically separated. Production Protected Customer Data is not copied into non-production environments. Where realistic data is required for testing, we use synthetic or anonymised data, or ensure equivalent security controls (encryption, access control, logging) are in place
5.0 Policy Review
This policy will be reviewed annually by the Policy Owner to ensure it remains effective and relevant.