What we do to protect your store.

Shopify access tokens are encrypted at rest using AES-256-GCM. The encryption key is stored in an environment secret outside the database — a database dump alone cannot decrypt tokens. Keys are rotated annually or on any suspected compromise.

Other sensitive fields (webhook secrets, Stripe references, sub-processor API keys) are stored in our infrastructure secret store, never committed to source control.

All traffic to flintmere.com, audit.flintmere.com, and app.flintmere.com uses TLS 1.2 or higher with modern cipher suites. HTTP is redirected to HTTPS. HSTS is enabled on all subdomains.

Every incoming Shopify webhook is verified by HMAC-SHA256 against the shared secret before we process it. Unverified webhooks are rejected with 401. This protects against spoofed uninstall or GDPR webhooks.

Mandatory Shopify compliance webhooks (customers/data_request, customers/redact,shop/redact, app/uninstalled) are handled within Shopify’s published response windows.

The Shopify app requests only read_products and write_products. We do not request customer, order, inventory, financial, shipping, or fulfillment scopes. If Shopify adds a scope in a future API version that we don’t need, we keep the minimum.

Production access is limited to two people by default. All production access is logged. We use short-lived tokens and hardware security keys for administrator authentication. We do not use shared logins.

We run automated dependency scans on every commit. Critical and high CVEs are patched within 7 days; medium within 30; low within 90. We track Shopify API deprecation notices and migrate within one version of release.

Flintmere runs on DigitalOcean (UK region) managed via Coolify. Postgres is backed up nightly with point-in-time recovery retained for 14 days. Backups are encrypted. We do not use cross-region replication outside the UK/EU.

Application errors are captured in Sentry (EU) with PII scrubbing at source. Uptime is monitored by BetterStack (EU). Request logs retain 90 days hot, up to 13 months cold for fraud and abuse investigation. We do not log Shopify access tokens, customer PII, or payment card data.

We maintain a written incident-response runbook. On confirmed personal-data breach, we notify the ICO within 72 hours as required by UK GDPR Article 33, and affected individuals without undue delay where there is a high risk.

Shopify partners are notified via the Partner Dashboard per Shopify’s App Store requirements.

We welcome security research. Email security@flintmere.com with findings. We will:

• Acknowledge your report within 24 hours
• Not pursue legal action for good-faith research
• Confirm resolution timelines within 5 working days
• Credit you publicly once the issue is fixed (unless you prefer anonymity)

Please do not test against other merchants’ stores, extract data beyond what’s needed to demonstrate the issue, or degrade service availability.

We’re a small team. We are not currently ISO 27001 certified or SOC 2 audited. We do not claim PCI-DSS compliance because Stripe handles payment card data directly and we never see it. If your procurement requires a formal audit, contact us at security@flintmere.com — we can walk you through our security questionnaire.