Skip to content
English
  • There are no suggestions because the search field is empty.

What security measures does the Provenance Shopify app have in place?

Security is built into our app's design and operation across several layers:

Least-privilege access. The app requests only the minimum Shopify permissions it needs (read/write products). Because it never requests access to orders, customers, or payment data, that data is never exposed to us in the first place — the most effective control is not holding data we don't need.

Authentication and authorisation. The app uses Shopify's standard OAuth flow and session-token authentication, so only authorised users on your store can access it. All incoming webhooks from Shopify are cryptographically verified (HMAC-signed) to confirm they are genuine before we act on them. Communication between the plug-in and the Provenance platform is authenticated with secure API credentials.

Encryption. All data is transmitted over encrypted connections (HTTPS/TLS) between your store, the plug-in, and the Provenance platform. Data at rest is held on encrypted, access-controlled infrastructure, and application secrets and credentials are stored in a managed, restricted secrets store — never in code or in publicly readable locations.

Independent testing and certification. Provenance holds the UK government-backed Cyber Essentials certification, and we commission third-party penetration testing every year to identify and remediate vulnerabilities across our platform.

Secure development and dependency management. Our codebase is continuously monitored for vulnerable third-party libraries using automated tooling (Dependabot), which surfaces and applies security updates — including for the Shopify app's dependencies. Every code change is also run through automated security checks in our continuous-integration pipeline, including static application security analysis (Brakeman) and dependency vulnerability auditing, so known issues are caught before changes are released.

Data protection and privacy (GDPR). The app is built to comply with GDPR and Shopify's data-protection requirements. It implements Shopify's mandatory data-request and data-redaction webhooks, and — because it holds no shopper personal data — there is no customer PII at risk. All store data is permanently deleted when the app is uninstalled.

Storefront safety. The content the app publishes to your storefront is public marketing information by design; no credentials, secrets, or personal data are ever placed in storefront-accessible locations.