How Secure is My Data?

One of the questions we get asked often is "How do I know that my data is secure"?

As you might imagine, the answer has multiple levels of complexity. So we thought it might be best to break things down in an article.

Installation 

Prior to Report Toaster being allowed in the Shopify app store, we were subjected to a rigorous app review process. During the review process, we were required to fulfill all of the requirements for public apps on Shopify.

Let's dig a bit deeper into a few of those that are related to security.

OAuth

Once a merchant decides to install Report Toaster, our app must authenticate using Shopify's OAuth process. This process uses the OAuth 2.0 specification, which is a framework intended to enable third-party access to HTTP services. The Shopify OAuth implementation is a multi-pass authentication process which allows apps access to the Admin API. 

Permissions

As part of the OAuth process, Report Toaster requests only the permissions it needs to provide comprehensive reporting to merchants. Upon install, merchants are prompted to review the permissions requested by Report Toaster:

The Permissions currently requested for the following Admin API endpoints are as follows:

1. Customers - Read only
   
2. Orders - Read only
   
3. Products - Read only
   
4. Discounts - Read only
   
5. Locations - Read only
   
6. Product Prices - Read only
   
7. Shop - Read shop and Edit script tags

Report Toaster Access

The Report Toaster application is a non-embedded Shopify app, meaning that  it exists in a separate browser window from the Shopify Admin. However, the app does not allow independent login and can only be accessed via the Shopify admin portal. This ensures that only staff members with access too a merchant's Shopify admin can access Report Toaster and the data contained within.

In addition, all browser requests from a Report Toaster user to retrieve reports are done using HTTPS. This guarantees protection and integrity of all data while in transit between the Report Toaster servers and a user.

Data Infrastructure

The Report Toaster application and all associated merchant data is hosted in an AWS VPC, allowing us to leverage best-in-class cloud infrastructure and services. You can read more about AWS cloud security here and the individual services here.

Networking

The Report Toaster infrastructure implements the following security measures:

1. A web application firewall (WAF) that intelligently blocks intrusion attempts.
   
2. AWS-based protection against distributed denial of service attacks.
   
3. Robust internal and external monitoring to immediately alert us to any network anomalies.
4. Public and private infrastructure are separated by VPCs (virtual private networks).

Databases

The Report Toaster data is stored in MongoDB database. We use the following data security measures:

1. Live data is replicated across three AWS availability zones.
   
2. Database is backed up every four hours.
3. Encryption at rest - the data is stored encrypted on disk.
   
4. Encryption in transit - data is encrypted in transit between servers.
   
5. Servers are physically protected in AWS data centers.

Data Privacy

We understand that the data stored in Report Toaster is extremely important to our merchants and their customers. That is why data privacy is our number one priority, and this is reflected in our privacy policy. 

Compliance

We pride ourselves on being both GDPR and CCA compliant. This includes responding to all required Shopify GDPR webhooks. 

We have also been approved by Shopify to manage protected customer data by fulfilling their stringent requirements.

Retention

When a merchant uninstalls Report Toaster, all associated data is removed from our servers. We are also required to respond to any Shopify customer data deletion requests.

Sharing

We NEVER share any customer data with third parties.

Least Privilege

We subscribe to the concept of least privilege security. This means our staff is granted access to merchant data only as necessary and for the shortest period of time required. 

Additional Information

As mentioned at the beginning of the article, all Shopify apps must comply with a series of security and privacy requirements. These requirements are as follows:

Security Requirements

Privacy Requirements

For more information about using Report Toaster, check out our FAQ or reach out to us at any time :) 

• Related Articles

• Why Am I Getting a Message That My Data Is Syncing?

  To allow for the best reporting experience, Report Toaster creates a separate datastore containing your relevant Shopify data. When you first install the app (or upgrade your account to a paid plan) you may see a message in the notifications bar to ...

• Why Do I Have No Data In a Report?

  This guide is intended to help users troubleshoot common causes for having no data in a report. 1.) Account is still syncing your store data This is by far the most common cause of having no data in a report. Usually this is the case when you have ...

• Data List Reports (Video)

  This Report Toaster video tutorial explains Data List Reports. This video covers things like:  - Data list reports (e.g. the Orders report)  - Changing the Date Range on a report.  - Adding Columns to a Report - Removing Columns from a Report - ...

• What Do I Get In Report Toaster (that I don't get in Shopify?)

  What do I get out of Report Toaster that I don't get in Shopify? I already get reports in Shopify - why do I need Report Toaster? Why should I upgrade my Report Toaster Account? In fact, questions like this are so commonplace that we have an entire ...

• How Do I Sort Data in a Report?

  In this next 'Basics' article, we'll look at how to sort data by different columns in a report.  Much like in Excel, sorting lets you choose which columns you want to sort the data by (alphabetically). This can be very useful if you are looking to ...