Security Policy

Wizard Labs (Invoice Wizard, “we”, “us”, “our” and terms of similar meaning) operates the website hosted at the invoicewizard.io domain and all associated subdomains (the “Website”), as well as the services provided by the Website (the “Service”) in compliance with these terms and conditions of use.

Before you install our app on your store, you must read, understand and agree the terms stated here, and by using the Service you become legally bound by them.

The Service is an online invoicing software for Shopify stores. It is a mobile-compatible web application that allows the design and creation of invoices, packing slips, credit notes, and other document types. The Service is based on the SaaS (software as a service) model and requires a subscription.

Policy Statement

The goal of this policy is to outline Invoice Wizard's responsibilities for identifying, investigating and addressing security incidents and data breaches. It establishes a clear understanding of their roles and procedures for handling such incidents.


This policy applies to all information systems, whether they are owned by Invoice Wizard or not, that are used to store, process, transmit or access Invoice Wizard's data. It also applies to all personnel including employees, merchants of the application, contracted entities, and any other authorized individuals who have access to Invoice Wizard's assets and information resources.



The Computer Security Incident Response Team (CSIRT) is responsible for identifying and investigating security events to determine if an incident has occurred and the extent, cause, and damage of the incident. The CSIRT is responsible for directing the recovery, containment, and remediation of security incidents and may authorize and expedite changes to information systems necessary to do so. They also coordinate responses with external parties when existing agreements place responsibility for incident investigations on the external party. During security incident investigations, the CSIRT is authorized to monitor relevant Invoice Wizard IT resources and retrieve communications and other relevant records of specific users of the Invoice Wizard Application, including login session data and the content of individual communications without notice or further approval and in compliance with the Monitoring of IT Resources Policy. Any external disclosure of information regarding information security incidents must be reviewed and approved by the Invoice Wizard CIO in consultation. The CSIRT coordinates with law enforcement, government agencies, peer CSIRTs, and relevant Information Sharing and Analysis Centers (ISACs) in the identification and investigation of security incidents. The CSIRT is authorized to share external threat and incident information with these organizations that do not identify any member of the Invoice Wizard Application.


Review and Adjudication

All members of the Invoice Wizard Application are responsible for promptly reporting any suspected or confirmed security incident involving Invoice Wizard Data or an associated information system, even if they have contributed in some way to the event or incident. Reports should be made to the Invoice Wizard support department (helpwizard@invoicewizard.io) and members of the Invoice Wizard Application must cooperate with incident investigations, and may not interfere, obstruct, prevent, retaliate against, or discourage others from reporting an incident or cooperating with an investigation. Information Security Administrators (ISAs) are responsible for training users to recognize and report information security incidents. Information Security Managers (ISMs) are responsible for responding to and periodically reporting on Low Severity security incidents according to procedures established by the Information Security Office. High Severity incidents reported to or discovered by ISMs should be promptly reported to the Computer Security Incident Response Team (CSIRT). The Computer Security Incident Response Team (CSIRT) is responsible for responding to High Severity incidents according to procedures established in the Invoice Wizard Computer Security Incident Response Plan. The Chief Information Security Officer is responsible for staffing the CSIRT and augmenting staff with subject matter experts and/or surge staffing as necessary.


Violations and Compliance

Invoice Wizard's policies may comply with standards set by some regulators, such as the Payment Card Industry Data Security Standard (PCI DSS), US data privacy laws, European Union General Data Protection Regulation (GDPR), and the United Kingdom data protection laws. These standards provide guidelines on how to secure personally identifiable information (PII) and other sensitive data. Any failure to comply with this policy could result in disciplinary action for employees, including termination. Merchants could also have their merchant membership terminated.