StorekeptBack to home

Security Overview

A summary of Storekept's security posture, for merchants evaluating the app and for Shopify's app reviewers.

Data handling

  • The app backs up a merchant's Shopify store data, including customer personal data, solely to provide backup and restore. It is never used for any other purpose.
  • The app is hosted on a netcup VPS running Dokploy, an open-source self-hosted application platform; the web app, background worker, PostgreSQL, and Redis all run as Dokploy-managed Docker containers on that VPS. Application metadata is stored in the PostgreSQL container, encrypted at rest. Backup snapshots are stored in Cloudflare R2, encrypted at rest.
  • All network connections use TLS — Shopify API, object storage, database, and job queue.
  • Customer personal data is never written to logs or error reports; the error tracker is configured to scrub PII.

Access & authentication

  • Merchants authenticate through Shopify OAuth; the app never sees or stores a merchant password.
  • Infrastructure accounts use strong unique credentials with two-factor authentication.
  • Production data access is limited to the operator and is recorded in an audit log.

Environment separation

  • Separate Shopify app records, databases, and storage buckets for test and production.
  • The test environment never contains real merchant data.
  • Secrets are supplied via environment variables managed in Dokploy — never committed to the repository.

Application security

  • Built on Shopify's official app framework; only current, supported Shopify APIs are used.
  • All inbound webhooks are HMAC-verified; invalid signatures are rejected.
  • Dependencies are audited; the API version is pinned and reviewed.
  • The codebase is private; CI runs lint, type-check, and the full test suite on every change.

Privacy compliance

  • The three mandatory Shopify privacy webhooks are implemented: customers/data_request, customers/redact, shop/redact.
  • Data retention and deletion follow our Data Retention Policy; all store data is purged within 48 hours of app uninstall.

Reporting a vulnerability

Security issues can be reported to team@storekept.relayt.uz. Reports are acknowledged and investigated promptly; please allow reasonable time for a fix before public disclosure.