Help
Log in

How to qualify as a Certified Technology Partner

To set a high standard for quality, the following requirements are used to review apps in the Shopify Certified Technology Partner Program. These requirements are focused on several key areas: proven usefulness, infrastructure and performance, merchant support, security, and privacy. They are intended to provide the best Shopify Plus merchant experience across the entire app lifecycle, from listing and installation, to onboarding, functionality, security, and quality.

Although meeting these requirements doesn't guarantee acceptance into the program, they serve as a standard to which we hold all Certified Technology Partners accountable for as long as they are in the program. In general, it's also important for app partners to have a deep foundational knowledge of Shopify Plus, as well as a demonstrated track record of success with numerous Shopify Plus merchants.

On this page

1. General requirements

1.1 App Store Compliance

Whether you are an existing or prospective Certified Technology Partner, these requirements apply, in addition to the Shopify App Store requirements.

Additionally, as a Certified Technology Partner, you must remain in good standing with Shopify’s policies.

Staying compliant and in good standing enables you to continue offering valuable solutions within the Shopify ecosystem, while minimizing disruptions to your app’s availability and reputation.

1.2 Category-specific criteria

For Certified Technology Partners, meeting category-specific criteria is required. These criteria serve as a quality benchmark to ensure apps are effectively addressing the unique needs of their users.

If your app belongs in one of the categories below, you must meet the corresponding requirements to qualify as a Certified Technology Partner:

For clarity, Certified Technology Partners are not required to meet all Built for Shopify requirements. While category requirements are listed under the Built for Shopify page, these are independently required for purposes of this program. Built for Shopify is a designation of its own and fulfilling these category-specific criteria alone does not qualify your app for full Built for Shopify status.

1.3 Shopify App Store listing

The app should be listed on the Shopify App Store, and it must fulfill all of the requirements listed in the developer documentation.

The app listing is your first point of contact with a merchant, and it’s where they’ll look to decide if your app is right for them. Like your page in the Shopify Technology Partner Directory, your app's listing in the Shopify App Store is one of your most useful marketing tools. An effective app listing encourages Shopify merchants to try the app for themselves or contact your team for more details. Your app listing should be clear, concise, and relevant to interested merchants.

All currently published app listings should be updated with the latest product features and support information.

1.4 Ratings and reviews

Reviews are a critical factor in building trust with merchants. Shopify uses app ratings and reviews from a variety of sources to understand merchant feedback and satisfaction. When a merchant leaves a review for your app, they're required to rate it on a scale of 1 to 5 and leave a comment. To leave a review, the merchant must have installed your app to their store. After a merchant uninstalls an app, they have 45 days to leave a review before the privilege is revoked.

All Certified Technology Partners must establish and maintain app rating of greater than 4.0 after reaching a minimum of 5 reviews.

Any new or unlisted apps are reviewed independently by the Program team.

For more details on managing app reviews, refer to Managing app reviews.

2. Solution requirements

As a Certified Technology Partner, your integration with Shopify must be solving a Plus Merchant challenge and be built using the latest technology available to create the best Plus merchant experience.

2.1 API Versioning & Implementation

As a Certified Technology Partner, you are expected to be at the forefront of innovation and lead the ecosystem. Your app should be utilizing the latest two versions in production and you must have a clear API version migration strategy for your integration.

In addition, Certified Technology Partners are responsible for delivering reliable and stable merchant experiences. You must have a documented API usage plan to avoid rate limit throttling.

3. Support requirements

Offering support in a timely, professional, and satisfactory manner is important to Shopify Plus merchants.

3.1 Responding to support requests

All Certified Technology Partners must provide the following:

  • First response to critical support requests within 30 minutes. Critical support requests include widespread (multiple customers) service outages and reports of security vulnerabilities from customers. Phone, SMS, email, and in-product communication are all approved methods of communication.
  • First response to high-priority issues within 12 hours. High priority support requests include inability to access the product from multiple users (for example, multiple users cannot log in) and other similar requests. Phone, SMS, email, and in-product communication are all approved methods of communication.
  • First response to low-priority within 3 days through phone, SMS, email, or in-product communication.
  • 24/7 support available worldwide. Phone, chat, and email are acceptable forums for support.

Your support resources should be easy to find, and include clear instructions that are specific to how your app integrates with Shopify. To learn more about writing effective help documentation, refer to Fundamentals.

3.2 System status updates

Providing merchants with easy-to-find status updates helps them know whether your app is working as expected. All Certified Technology Partners must provide merchants with the following:

  • A dashboard or a status page that shows if your system is running as expected, experiencing issues, or down.
  • An on-call team and escalation plan to address system disruptions.
  • A readily available process in place to let customers know of planned downtime.

We recommend that Certified Technology Partners provide a status page with the following services: statuspage.io or sorryapp.com.

4. Data protection requirements

As our Shopify Plus merchants typically handle large volumes of customer data, it is critical that both Shopify and its Certified Technology Partners have a high standard of care when it comes to processing, handling, and storing data.

4.1 Customer data

If you process Protected customer data, then you must meet all of Shopify’s data protection requirements.

4.2 GDPR, CCPA, CPRA, VCDPA

If you work with Plus merchants who are required to be compliant with privacy laws such as General Data Protection Regulation (GDPR), California Privacy Rights Act (CPRA), Colorado Privacy Act, and Virginia's Consumer Data Protection Act, you must be able to support them. Learn more about Privacy Requirements.

5. Security requirements

All Certified Technology Partners must meet all of the following security requirements:

  • Your company must perform an annual independent third-party security penetration test of your application, following OWASP and NIST methodologies.
  • Securely store Shopify API tokens and secrets in a dedicated secrets management system or encrypted storage, with the capability to rotate secrets without code changes. Access tokens must be encrypted at rest using AES-128 or higher. Never hardcode secrets in source code or configuration files.
  • Provide architecture diagrams of your infrastructure setup, including components that handle Shopify data, data flows, security controls, cloud providers, and regions.
  • Ensure that test and production environments are technically separated.
  • Process only the minimum amount of personal data necessary to meet your functional requirements, and document where each data type is stored.
  • Request only the API scopes necessary to meet your functional requirements. Every scope must be justified; no unused or deprecated scopes should be present.
  • Set retention periods for data stores containing personal data, and delete or anonymize data when retention periods expire.
  • Encrypt personal data in transit using TLS 1.2 or higher. Do not support weak cipher suites or outdated protocols.
  • Encrypt personal data at rest using industry-standard encryption (AES-128 minimum) with managed key services.
  • Encrypt data backups and test data restoration at least once every 12 months.
  • Maintain access logs for all access to data stores containing personal data, with detection capabilities for unusual access patterns.
  • Implement role-based access control and audit logging on data stores containing personal data.
  • Require passwords of at least 12 characters and multi-factor authentication for all staff accessing production systems containing customer data.
  • Establish a vulnerability reporting program with a public security contact and explicit remediation timelines by severity level (critical, high, medium, and low).
  • Maintain a process for patching vulnerabilities and tracking remediation progress.
  • Develop and enforce policies and training for how employees should handle personal data.
  • Establish a security incident response plan with an identified security contact person.
  • Notify Shopify of security incidents within 24 hours of a confirmed breach

6. Infrastructure, reliability, and performance requirements

For an app to be successful, it should offer a consistent and positive experience for the Shopify Plus merchants who use it.

6.1 Load testing

It's important that applications are tested for responsiveness in terms of their stability and performance. All Certified Technology Partners should be able to provide:

  • A short summary of how they load test their infrastructure and whether or not load testing is incorporated into the development process, especially during periods of high workload (ie. BFCM). This should include what kind of load the Partner tests against and what tooling they use to load test the infrastructure.
  • An average load time of <400 ms.

6.3 Uptime

All Certified Technology Partners must have a 99.9% uptime service level objective (SLO).

6.4 Storefront speed

For storefront apps only, if your app has the potential to impact a merchant’s store speed, your integration must not significantly reduce the Lighthouse performance score of the store by more than 10 points.

Security and privacy are critical parts of any web-based business since online apps can be exposed or compromised in many different ways. All Certified Technology Partners must make sure that their applications are secure so that the merchants who use them won't be at risk.

7.1 Privacy policy

Certified Technology Partners must have a privacy policy, and/or a data protection agreement in place.