Security Overview
A summary of Storekept's security posture, for merchants evaluating the app and for Shopify's app reviewers.
Data handling
- The app backs up a merchant's Shopify store data, including customer personal data, solely to provide backup and restore. It is never used for any other purpose.
- The app is hosted on a netcup VPS running Dokploy, an open-source self-hosted application platform; the web app, background worker, PostgreSQL, and Redis all run as Dokploy-managed Docker containers on that VPS. Application metadata is stored in the PostgreSQL container, encrypted at rest. Backup snapshots are stored in Cloudflare R2, encrypted at rest.
- All network connections use TLS — Shopify API, object storage, database, and job queue.
- Customer personal data is never written to logs or error reports; the error tracker is configured to scrub PII.
Access & authentication
- Merchants authenticate through Shopify OAuth; the app never sees or stores a merchant password.
- Infrastructure accounts use strong unique credentials with two-factor authentication.
- Production data access is limited to the operator and is recorded in an audit log.
Environment separation
- Separate Shopify app records, databases, and storage buckets for test and production.
- The test environment never contains real merchant data.
- Secrets are supplied via environment variables managed in Dokploy — never committed to the repository.
Application security
- Built on Shopify's official app framework; only current, supported Shopify APIs are used.
- All inbound webhooks are HMAC-verified; invalid signatures are rejected.
- Dependencies are audited; the API version is pinned and reviewed.
- The codebase is private; CI runs lint, type-check, and the full test suite on every change.
Privacy compliance
- The three mandatory Shopify privacy webhooks are implemented:
customers/data_request,customers/redact,shop/redact. - Data retention and deletion follow our Data Retention Policy; all store data is purged within 48 hours of app uninstall.
Reporting a vulnerability
Security issues can be reported to team@storekept.relayt.uz. Reports are acknowledged and investigated promptly; please allow reasonable time for a fix before public disclosure.