Security of transfers of personal data

Shopify maintains a comprehensive information security program that includes technical and organizational measures to keep your customers' personal data safe and secure. It also reviews its security measures periodically, and may update such measures at its sole discretion.

This page provides a summary of some safeguards that are included in Shopify’s information security program. For more information, refer to Shopify security.

Access controls

Shopify makes your customers’ personal data accessible only to authorized personnel, and only as necessary to maintain and provide its services. Shopify maintains access controls and policies designed to manage authorizations for access, including through the use of firewalls, other technology, and authentication controls.

Security assessments

Shopify maintains a vulnerability assessment and penetration testing program, responsible for investigating and tracking identified issues with its services to resolution where necessary.

Application security

Shopify maintains an application security program that protects its services from application security threats.

Change management

Shopify maintains controls designed to log, test, approve changes to its existing services’ resources, and document change details within its change management or deployment tools. Shopify tests any changes according to its change management standards prior to deployment to production.

Data integrity

As appropriate, Shopify maintains controls designed to provide data integrity during transmission, storage, and processing within its services.


Shopify implements redundancy where appropriate for its services to minimize the effect of a malfunction on its services, it designs its services to anticipate and tolerate failures, and implements appropriate processes designed to move customer data traffic away from the affected areas when necessary to recover from failures

Business continuity and disaster recovery

Shopify maintains a risk management program designed to support the continuity of its critical business functions, including processes and procedures for identification of, response to, and recovery from, events that could prevent or materially impair Shopify’s provision of the services merchants receive.

Incident management

Shopify provides documentation for merchants to report security or availability incidents, ask security or availability questions, and submit information about potential security or availability issues.

Shopify maintains incident response plans designed to detect, mitigate, investigate, and respond to potential security threats to its services.

Physical security

Where necessary to protect its services, Shopify:

  • implements reasonable measures designed to prevent unauthorized physical access, damage, or interference to its services;
  • uses appropriate control devices designed to restrict physical access to its services to only authorized personnel who have a legitimate business need for such access; and
  • performs periodic reviews to validate adherence with these standards.
Ready to start selling with Shopify?Try it free