Security of transfers of personal data
An important element of assessing international transfers is the analysis of technical and organizational measures to keep personal data safe. In compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws, Shopify deploys comprehensive technical and organizational measures to keep merchants' customers' personal data safe and secure.
This page provides a summary of our security program, and more information can be found on Security.
On this page
Shopify leverages virtual hosting environments stored in data centers with industry-standard security certifications. Sites are physically protected by perimeter security and multi-tier security zones with alarms, CCTV surveillance and 24/7 on-premises security staff, multi-factor identifications, private cages, and physical locks. Hard drives don't leave data centers; instead, they're destroyed securely on site. Our servers are hosted at data centers with the following certifications:
- Tier III
- International Standard for Information Security (ISO 27001)
- Payment Card Industry Data Security Standard (PCI DSS)
Shopify’s platform is based on a multi-tenant architecture, optimized for performance and resilience. Merchant personal data is segregated by application-level controls. The application environment on each server (the application, its dependencies, and its configuration files) is replaced when changes are deployed, which eliminates vectors for malware persistence.
Maintaining application security is critical to our development process. Our developers are trained regularly on application security best practices, and we monitor for vulnerabilities. Store owners can also set up additional security features. For example, account owners can:
- Activate multi-factor authentication on their account.
- View activity logs, including recent login activity by user.
- Set role-based access levels.
- Enforce granular API scope permissions.
Features such as two-step authentication act as an additional layer of security to make it more difficult for an unauthorized person to access our merchants’ accounts. This extra layer can reduce the likelihood of account takeovers.
When you attempt to log in, you need to complete two separate steps:
- Enter their email address and password; and
- Authenticate the log-in using a mobile device or security key.
That way, even if someone else learns the password, they won't be able to log in without the second step.
Shopify offers a number of two-step authentication methods, including SMS, authenticator app, and security key.
For more information, refer to Securing your account with two-step authentication.
Information in transit is encrypted using these industry-standard cryptographic protocols:
Shopify uses the HTTPS protocol for checkout, storefronts, and admin pages. Credit card details and other sensitive information in operational data stores are encrypted at rest. All user passwords are salted and hashed using the bcrypt hashing algorithm when stored.
Shopify uses Transport Layer Security (TLS), an encryption protocol used to secure internet communications, to secure all connections to merchant admin and stores. When the address bar of a browser next to a URL that starts with https:// shows a padlock icon, that means the connection uses TLS. TLS protects all connections to Shopify, including merchant connections and merchant customer connections. Shopify supports version TLS 1.2 and higher of the TLS protocol.
TLS certificates give merchant stores the following benefits:
- They add a layer of security by encrypting customer personal data.
- They help to build customer trust by displaying a padlock icon beside the online store’s URL.
Shopify is certified Level 1 PCI DSS compliant. The PCI Security Standards Council is a globally recognized organization, dedicated to maintaining standards for the secure processing of credit card transactions. It helps vendors like Shopify merchants process credit card payments securely and protect cardholder information.
We at Shopify are serious about securely hosting your store and have invested significant time and money to make sure our solution is PCI DSS compliant. From annual assessments validating compliance to continuous risk management, we work hard to keep our shopping cart and ecommerce hosting secure.
All stores powered by Shopify are PCI DSS compliant by default so our merchants can keep payment information and business data safe.
Our compliance covers the six PCI standard goals:
- Maintain a secure network.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access controls.
- Regularly monitor and test networks.
- Maintain an information security policy.
Refer to Shopify’s PCI Compliance for more information.
Service Organization Control (SOC)
Service Organization Control (SOC) reports are assessments of a company’s information systems by third-party auditors who certify that the company meets an independent set of standards, including criteria related to the security and availability of its services.
Shopify has been issued the following reports for the service we provide to our customers:
- SOC 2 Type II
- SOC 3
For more information, refer to our Compliance Reports. Anyone logged in as a merchant can find the SOC 2 Type II report there.
Other Security Essentials
Shopify’s security controls include a number of essential security features like these:
- Third-party vulnerability scans and penetration tests are performed regularly in order to identify and remedy potential security weaknesses.
- Server and application performance are monitored continuously by our production engineering team.
- Our configuration management tooling ensures servers have the current configuration applied.
- Shopify monitors applicable vulnerability disclosure and security update sources, and actions as necessary.
- Merchants and security contractors are able to test on their own storefront.
- Merchants are encouraged to report platform findings to our HackerOne Program.
- Our systems are engineered for rapid recovery of data in the event of a disaster. Backup recovery is tested daily.
- Shopify has multiple levels of redundancy to ensure merchant data is available to merchants and that customers can use merchant stores.
- We have a formal incident response and resolution process.
- Employee devices are centrally managed to implement and restrict security measures in line with Shopify security policies.
- Web Application Firewall (WAF) configuration exists platform-wide.
- Shopify offers Data Loss Prevention through platform and security monitoring, such as intrusion prevention/detection systems (IDS/IPS) in sensitive environments.
- Shopify implements access controls based on role following the principle of least privilege.
- We assist with annual security reviews by providing our independent audit reports, such as SOC 2 Type II.
- Employees receive Information security awareness training, and contractual confidentiality obligations.
For more information, refer to Security.