Security at Shop Insight

Your data security and privacy are our top priorities. Learn how we protect your information.

Last updated: December 15, 2025

Security Overview

Encryption

TLS 1.3+ for data in transit, AES-256 for data at rest

Compliance

GDPR, CCPA compliant. SOC 2 Type II in progress

Infrastructure

Enterprise-grade cloud infrastructure with 99.9% uptime

Monitoring

24/7 security monitoring and automated threat detection

1. Data Encryption

Encryption in Transit

  • TLS 1.3: All data transmitted between your browser and our servers is encrypted using industry-standard TLS 1.3
  • HTTPS Only: We enforce HTTPS across all Shop Insight services
  • Perfect Forward Secrecy: Each session uses unique encryption keys
  • Strong Cipher Suites: Only modern, secure cipher suites are supported

Encryption at Rest

  • AES-256 Encryption: All data stored in our databases is encrypted using AES-256
  • Encrypted Backups: Database backups are encrypted before storage
  • Secure Key Management: Encryption keys are managed using industry best practices
  • Shopify Tokens: OAuth tokens are encrypted before storage

2. Infrastructure Security

Cloud Infrastructure

  • Enterprise Cloud Provider: Hosted on tier-1 cloud infrastructure with ISO 27001, SOC 2, and SOC 3 certifications
  • Geographic Redundancy: Data replicated across multiple availability zones
  • DDoS Protection: Built-in protection against distributed denial of service attacks
  • Automated Backups: Daily encrypted backups with point-in-time recovery

Network Security

  • Firewall Protection: Network-level firewalls restrict unauthorized access
  • Private Networks: Database and internal services run on private networks
  • Rate Limiting: Automatic rate limiting prevents abuse and brute force attacks
  • IP Whitelisting: Administrative access restricted to authorized IP addresses

Application Security

  • Regular Updates: Dependencies and frameworks kept up to date
  • Security Patches: Critical security patches applied within 24 hours
  • Vulnerability Scanning: Automated scanning for known vulnerabilities
  • Code Reviews: All code changes reviewed before deployment

3. Access Control

Authentication & Authorization

  • Shopify OAuth: Secure OAuth 2.0 integration for merchant authentication
  • API Key Security: Separate keys for tracker, dashboard, and Shopify access
  • Role-Based Access: Least privilege principle for all system components
  • Session Management: Secure session tokens with automatic expiration

Internal Access Controls

  • Minimal Access: Only essential team members have production access
  • Two-Factor Authentication: Required for all administrative access
  • Audit Logging: All administrative actions are logged and monitored
  • Time-Limited Access: Temporary credentials for support and maintenance

4. Data Protection & Privacy

PII Protection

  • No PII Collection: We don't collect names, emails, or personal identifiers from store visitors
  • Automatic PII Filtering: Real-time detection and removal of sensitive information
  • URL Normalization: Remove identifying information from URLs before storage
  • Anonymous Sessions: Session-based tracking with no user identification

Data Minimization

  • Essential Data Only: We only collect data necessary for providing insights
  • Retention Limits: Data automatically deleted based on your plan (7 days to 12 months)
  • Aggregation: AI processing uses aggregated, anonymized data only
  • Export & Deletion: You can export or delete your data at any time

5. Security Monitoring

Continuous Monitoring

  • 24/7 Monitoring: Automated monitoring of all critical systems
  • Intrusion Detection: Real-time detection of suspicious activity
  • Log Analysis: Centralized logging with automated analysis
  • Uptime Monitoring: Continuous monitoring of service availability

Incident Response

  • Security Team: Dedicated team for security incident response
  • Incident Response Plan: Documented procedures for handling security incidents
  • Rapid Response: Critical security issues addressed within hours
  • Transparent Communication: Affected customers notified promptly

6. Compliance & Certifications

Current Compliance

GDPR Compliant

Full compliance with EU General Data Protection Regulation

CCPA Compliant

California Consumer Privacy Act compliance

Privacy by Design

Security and privacy built into every feature

Shopify Partner

Official Shopify Partner with secure OAuth integration

In Progress

SOC 2 Type II Certification

We are currently undergoing SOC 2 Type II audit. Expected completion: Q2 2026. This certification demonstrates our commitment to security, availability, and confidentiality.

7. Third-Party Security

Vendor Security Standards

We carefully vet all third-party services and only work with vendors that meet our security standards:

  • Shopify: ISO 27001, SOC 2, PCI DSS Level 1 certified - handles OAuth authentication and billing
  • OpenAI: SOC 2 Type II certified, processes only aggregated data
  • Cloud Infrastructure: ISO 27001, SOC 2, SOC 3 certified

Payment Security

All payments are processed through Shopify's Billing API. We never handle or store payment information. Shopify is PCI DSS Level 1 certified and manages all payment security.

Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with all third-party processors to ensure GDPR compliance and data protection.

8. Responsible Disclosure

Security Vulnerability Reporting

We appreciate the security research community's efforts to help keep Shop Insight secure. If you discover a security vulnerability:

  1. 1. Report privately: Email security@shopinsight.app with details
  2. 2. Include details: Steps to reproduce, potential impact, affected systems
  3. 3. Give us time: Allow 90 days for investigation and remediation
  4. 4. Don't exploit: Don't access or modify user data

Coordinated Disclosure

We commit to:

  • Acknowledge receipt within 24 hours
  • Provide regular updates on remediation progress
  • Credit researchers (with permission) for responsible disclosure
  • Not pursue legal action against good-faith security research

9. Security Best Practices for Merchants

While we secure our platform, merchants should follow these best practices:

Account Security

  • Strong Passwords: Use unique, complex passwords for your Shopify account
  • Two-Factor Authentication: Enable 2FA on your Shopify account
  • API Key Security: Never share or expose your dashboard API key
  • Regular Reviews: Review connected apps in your Shopify settings regularly

Data Protection

  • Privacy Policy: Disclose Shop Insight tracking in your privacy policy
  • Customer Consent: Obtain necessary consents under GDPR/CCPA
  • PII Configuration: Configure PII filtering appropriately for your store
  • Access Control: Limit team member access to only what's necessary

10. Contact Our Security Team

For security-related inquiries, vulnerability reports, or compliance questions:

Response Times:

  • Critical security issues: Within 4 hours
  • Security questions: Within 24 hours
  • General inquiries: Within 2 business days

Security is Our Foundation

Shop Insight is built on a foundation of security best practices. We continuously monitor, test, and improve our security posture to protect your data.

TLS 1.3 + AES-256GDPR + CCPA99.9% Uptime24/7 Monitoring