How to qualify for the Shopify Plus Certified App Program
To set a high standard for quality, the following requirements are used to review apps that apply to the Shopify Plus Certified App Program. These requirements are focused on four key product areas: performance, support, security, and privacy. They are intended to provide the best Shopify Plus merchant experience across the entire app lifecycle, from listing and installation, to onboarding, functionality, security, and quality.
Although meeting these requirements doesn't guarantee acceptance into the program, they serve as a standard to which we hold all Shopify Plus App Partners accountable for as long as they are in the program. In general, it's also important for app partners to have a deep foundational knowledge of Shopify Plus as well as a demonstrated track record of success with numerous Shopify Plus merchants.
The Shopify Plus App Certification requirements apply in addition to the Shopify App Store requirements.
1. General requirements
The requirements in this section apply to all apps that are submitted to the Shopify Plus Certified App Program. Review each section carefully before submitting your application.
1.1 Shopify App Store listing
The app listing is your first point of contact with a merchant, and it’s where they’ll look to see if your app is right for them. Like your page in the Shopify Plus App Directory, your app's listing in the Shopify App Store is one of your most useful marketing tools. An effective app listing encourages Shopify merchants to try the app for themselves or contact your team for more details. Your app listing should be clear, concise, and relevant to interested merchants.
All currently published app listings should be updated with the latest product features and support information.
1.2 Ratings and reviews
Reviews are a critical factor in building trust with merchants. Shopify uses app ratings and reviews from a variety of sources to understand merchant feedback and satisfaction. When a merchant leaves a review for your app, they're required to rate it on a scale of 1 to 5 and leave a comment. To leave a review, the merchant must have installed your app to their store. After a merchant uninstalls an app, they have 45 days to leave a review before the privilege is revoked.
All Shopify Plus Certified App Partners must establish and maintain app rating of greater than 4.0 after reaching 10 reviews.
Any new or unlisted apps are reviewed independently by the Shopify Plus App Partnerships team.
For more details on managing app reviews, refer to Managing app reviews.
2. Support requirements
Offering support in a timely, professional, and satisfactory manner is important to Shopify Plus merchants.
2.1 Responding to support requests
All Shopify Plus Certified App Partners must provide the following:
- First response to critical support requests within 30 minutes. Critical support requests include widespread (multiple customers) service outages and reports of security vulnerabilities from customers. Phone, SMS, email, and in-product communication are all approved methods of communication.
- First response to high-priority issues within 12 hours. High priority support requests include inability to access the product from multiple users (for example, multiple users cannot log in) and other similar requests. Phone, SMS, email, and in-product communication are all approved methods of communication.
- First response to low-priority within 3 days through phone, SMS, email, or in-product communication.
- 24/7 support available worldwide. Phone, chat, and email are acceptable forums for support.
- An emergency developer contact number that's available 24/7, with a point of contact who will be immediately available to receive emergency requests.
Your support contact information and content should be easy to find, and it should include clear instructions that are specific to how your app integrates with Shopify. To learn more about writing effective help documentation, refer to Help documentation.
2.2 System status updates
Providing merchants with easily accessible status updates helps them know whether your app is working as expected. All Shopify Plus Certified App Partners must provide merchants with the following:
- A dashboard or a status page that shows if your system is running as expected, experiencing issues, or down.
- An on-call team and escalation plan to address system disruptions.
- A readily available process in place to let customers know of planned downtime.
3. Security and privacy requirements
Security and privacy are critical parts of any web-based business since online apps can be exposed or compromised in many different ways. All Shopify Partners must make sure that their applications are secure so that the merchants who use them won't be at risk.
Partners that offer software as a service (SAAS) to their customers have a unique risk profile. Therefore, the Partner must provide proof of coverage for the following types of insurance:
- Tech Errors & Omissions (E&O) Insurance
- Cyber Liability Insurance
- Directors & Officers Insurance (D&O)
- Employment Practices Liability Insurance (EPLI)
- General Liability/Property Insurance
3.2 Information security
Information security refers to a set of strategies that technology businesses should have in place for managing the processes, tools, and policies necessary to prevent, detect, document, and counter threats to information.
We take information security very seriously at Shopify, and therefore recommend that all Shopify Plus Certified App Partners maintain and share a detailed information security policy. All Partners must provide links to their information security policy.
3.3 Secure communication of data
Shopify Plus merchants rely on Shopify and its ecosystem of Partners to ensure that their data is handled securely and privately. It's critical that we put data security standards in place to earn and maintain Shopify Plus merchants' trust.
Partners are required to provide detailed answers to the following questions during the application process:
Does your company undergo independent third-party security assessments of any internet-facing systems? If so, then indicate what type (vulnerability assessment or penetration test) and the testing cycle.
Does your company have a vulnerability disclosure program that includes the following:
- An outline of the program's scope, including a description of the products that are included in or excluded from the program.
- A way for merchants to communicate the vulnerability to you directly.
- A reimbursement/payment policy for vulnerability disclosures.
Does your company protect the confidentiality of data in transit by using encryption? If so, then describe your methods, protocols, algorithms, and encryption strength.
Does your company protect the confidentiality of online and offline data at rest by using encryption? If so, then describe your methods, algorithms, and encryption strength.
Do you restrict access to customer data to only the users and support personnel who require it as part of their job function?
Do you review data access permissions and user privileges of these internal systems with customer data periodically?
Does your company employ multi-factor authentication (MFA) on systems that contain customer data?
Partners might also be required to answer additional questions regarding the secure communication of data during the certification process.
3.4 Restricted scopes
Partners must have a data deletion policy that's available for merchants if they use any restricted scopes (such as "orders for all time") or store any of the following data in your own servers (data at rest):
3.5 Terms of Service (TOS)
4. Performance requirements
For an app to be successful, it should offer a consistent and positive experience for the Shopify Plus merchants who use it. The quality of an app's integration into Shopify is an important consideration during the application process.
4.1 Trusted infrastructure
We strongly recommend that all Shopify Plus Certified App Partners use one of the following trusted cloud providers:
- Google Cloud Platform
If the Partner doesn't use one of the platforms listed above, then they must acknowledge that they have an on-premise infrastructure that has safe physical security, redundancies, and environmental resilience.
4.2 Load testing
It's important that applications are tested for responsiveness in terms of their stability and performance (for example, how well can the application handle a particularly high workload for a merchant?). All Shopify Plus Certified App Partners should be able to provide:
- A short summary of how they load test their infrastructure and whether or not load testing is incorporated into the development process. This should include what kind of load the Partner tests against and what tooling they use to load test the infrastructure.
- An average load time of <400 ms.
All Shopify Plus Certified App Partners must have a 99.9% uptime service level objective (SLO).