How to qualify for the Shopify Plus Certified App Program

To set a high standard for quality, the following requirements are used to review apps that apply to the Shopify Plus Certified App Program. These requirements are focused on several key areas: proven usefulness, infrastructure and performance, merchant support, security, and privacy. They are intended to provide the best Shopify Plus merchant experience across the entire app lifecycle, from listing and installation, to onboarding, functionality, security, and quality.

Although meeting these requirements doesn't guarantee acceptance into the program, they serve as a standard to which we hold all Shopify Plus App Partners accountable for as long as they are in the program. In general, it's also important for app partners to have a deep foundational knowledge of Shopify Plus as well as a demonstrated track record of success with numerous Shopify Plus merchants.

The Shopify Plus App Certification requirements apply in addition to the Shopify App Store requirements.

1. General and Built for Shopify achievement requirements

Built for Shopify achievement criteria are required alongside other requirements in this section. All requirements apply to existing or prospective apps in the Shopify Plus Certified App Program. Review each section carefully before submitting your application.

1.1 Shopify App Store listing

The app should be listed on the Shopify App Store, and it must fulfill all of the requirements listed in the developer documentation.

The app listing is your first point of contact with a merchant, and it’s where they’ll look to see if your app is right for them. Like your page in the Shopify Plus App Directory, your app's listing in the Shopify App Store is one of your most useful marketing tools. An effective app listing encourages Shopify merchants to try the app for themselves or contact your team for more details. Your app listing should be clear, concise, and relevant to interested merchants.

All currently published app listings should be updated with the latest product features and support information.

1.2 Ratings and reviews

Reviews are a critical factor in building trust with merchants. Shopify uses app ratings and reviews from a variety of sources to understand merchant feedback and satisfaction. When a merchant leaves a review for your app, they're required to rate it on a scale of 1 to 5 and leave a comment. To leave a review, the merchant must have installed your app to their store. After a merchant uninstalls an app, they have 45 days to leave a review before the privilege is revoked.

All Shopify Plus Certified App Partners must establish and maintain app rating of greater than 4.0 after reaching a minimum of 20 reviews.

Any new or unlisted apps are reviewed independently by the Shopify Plus App Partnerships team.

For more details on managing app reviews, refer to Managing app reviews.

2. Solution requirements

As a Plus Certified App, your integration with Shopify must be solving a Plus Merchant challenge and be built using the latest technology available to create the best Plus merchant experience.

2.1 Versioning

As a certified partner, you are expected to be at the forefront of innovation and lead the ecosystem. Your app should be utilizing the latest two versions in production and you must have a clear API version migration strategy for your integration.

2.2 API Implementation

For storefront apps only, if your integration interacts directly with a Shopify merchants’ front-end or a theme, you must be compliant with Shopify’s latest design and product requirements. For all apps, you must also have an API usage plan to avoid rate limit throttling. Ideally you support or are looking to support Graph QL and Bulk APIs.

2.3 Checkout Extensibility

If you have features that currently modify Checkout through checkout.liquid, your app must be upgraded or be able to support Checkout Extensibility

2.4 Plus feature compatibility

Your integration must be compatible with key Shopify Plus features such as B2B, Markets/Markets Pro, and Flow.

3. Support requirements

Offering support in a timely, professional, and satisfactory manner is important to Shopify Plus merchants.

3.1 Responding to support requests

All Shopify Plus Certified App Partners must provide the following:

  • First response to critical support requests within 30 minutes. Critical support requests include widespread (multiple customers) service outages and reports of security vulnerabilities from customers. Phone, SMS, email, and in-product communication are all approved methods of communication.
  • First response to high-priority issues within 12 hours. High priority support requests include inability to access the product from multiple users (for example, multiple users cannot log in) and other similar requests. Phone, SMS, email, and in-product communication are all approved methods of communication.
  • First response to low-priority within 3 days through phone, SMS, email, or in-product communication.
  • 24/7 support available worldwide. Phone, chat, and email are acceptable forums for support.
  • An emergency developer contact number that's available 24/7, with a point of contact who will be immediately available to receive emergency requests.

Your support contact information and content should be easy to find, and it should include clear instructions that are specific to how your app integrates with Shopify. To learn more about writing effective help documentation, refer to Help documentation.

3.2 System status updates

Providing merchants with easy-to-find status updates helps them know whether your app is working as expected. All Shopify Plus Certified App Partners must provide merchants with the following:

  • A dashboard or a status page that shows if your system is running as expected, experiencing issues, or down.
  • An on-call team and escalation plan to address system disruptions.
  • A readily available process in place to let customers know of planned downtime.

We recommend that Shopify Plus Certified App Partners provide a status page with the following services: statuspage.io or sorryapp.com.

4. Data protection requirements

As our Shopify Plus merchants typically handle large volumes of customer data, it is critical that both Shopify and Plus Certified App partners have a high standard of care when it comes to processing, handling, and storing data.

4.1 Customer data

If you process Protected customer data, then you must meet all of Shopify’s data protection requirements. You must also have a privacy policy and/or a data protection agreement in place.

4.2 GDPR, CCPA, CPRA

If you work with Plus merchants who are required to be compliant with GDPR, CCPA, or CPRA, you must be able to support them. Refer to our dev docs here that outline guidance in more detail:

4.3 Multi-factor authentication (MFA)

Your company must enforce multi-factor authentication for employees that have access or use of systems that contain customer data.

5. Security requirements

Your company must perform at minimum an annual security penetration test of your application.

All Shopify Plus Certified App Partners must meet all of the following security requirements:

  • Securely store Shopify API tokens.
  • Implement clear procedures for token rotations.
  • Provide detailed descriptions and diagrams of your infrastructure setup, including visualizations and descriptions of cloud providers, databases, and servers.
  • Process only the minimum amount of personal data necessary to meet your functional requirements.
  • Request only the scopes necessary to meet your functional requirements.
  • Set retention periods for datastores containing personal data.
  • Encrypt personal data in transit using technical methodologies such as TLS or SSL when data is transmitted.
  • Encrypt personal data at rest using technical methodologies like AES or other symmetric encryption schemes.
  • Establish a vulnerability reporting program with policies and timelines for acknowledgement and remediation.
  • Undergo independent third-party security assessments and obtain relevant certifications.
  • Encrypt data backups using technical methodologies like AES or other symmetric encryption schemes.
  • Maintain access logs for any and all access to datastores containing personal data.
  • Ensure that test and production instances are separate and test systems do not store or process production data.
  • Require strong passwords and second factors for all staff and service accounts.
  • Develop and enforce policies and training for how employees should interact with personal data.
  • Establish a security incident response process and plan.
  • Implement a data loss prevention strategy.

6. Infrastructure, reliability, and performance requirements

For an app to be successful, it should offer a consistent and positive experience for the Shopify Plus merchants who use it. The quality of an app's integration into Shopify is an important consideration during the application process.

6.1 Trusted Infrastructure

We strongly recommend that all Shopify Plus Certified App Partners use one of the following trusted cloud providers:

  • AWS
  • Azure
  • Google Cloud Platform

If the Partner doesn't use one of the platforms listed above, then they must acknowledge that they have an on-premise infrastructure that has safe physical security, redundancies, and environmental resilience.

6.2 Load testing

It's important that applications are tested for responsiveness in terms of their stability and performance (for example, how well can the application handle a particularly high workload for a merchant?). All Shopify Plus Certified App Partners should be able to provide:

  • A short summary of how they load test their infrastructure and whether or not load testing is incorporated into the development process. This should include what kind of load the Partner tests against and what tooling they use to load test the infrastructure.
  • An average load time of <400 ms.

6.3 Uptime

All Shopify Plus Certified App Partners must have a 99.9% uptime service level objective (SLO).

6.4 Embedded app standards

If you want to embed your app in the Shopify Admin, then you must use or migrate to Shopify App Bridge 2.0, rather than App Bridge 1.0 or the deprecated Embedded App SDK, to embed your app.

6.5 Storefront speed

For storefront apps only, if your app has the potential to impact a merchant’s store speed, your integration must not significantly reduce the Lighthouse performance score of the store by more than 10 points.

Security and privacy are critical parts of any web-based business since online apps can be exposed or compromised in many different ways. All Shopify Partners must make sure that their applications are secure so that the merchants who use them won't be at risk.

7.1 Terms of Service

All Shopify Plus Certified App Partners should have a publicly available terms of service that is linked to their Shopify App Store and Shopify Plus App Directory listings. The merchant must be served your terms of service as part of their onboarding process.

7.2 Information security

Information security refers to a set of strategies that technology businesses should have in place for managing the processes, tools, and policies necessary to prevent, detect, document, and counter threats to information.

We take information security very seriously at Shopify, and therefore recommend that all Shopify Plus Certified App Partners maintain and share a detailed information security policy. All Partners must provide links to their information security policy. Additionally, any data security vulnerabilities must be acknowledged, Shopify must be notified within 24 hours and be included as part of the Partners Terms of Service.

Ideally, your company should have valid security certifications that apply to your application, company, and overall infrastructure such as PCI, SOC2 Type 2.

7.3 Privacy policy

Shopify Plus merchants rely on Shopify and its ecosystem of Partners to ensure that their data is handled securely and privately. It's critical that we put data security standards in place to earn and maintain Shopify Plus merchants' trust.

The Partner must have a privacy policy, and/or a data protection agreement in place.

7.4 Insurance

Partners that offer software as a service (SAAS) to their customers have a unique risk profile. Therefore, the Partner would ideally provide proof of coverage for the following types of insurance:

  • Tech Errors & Omissions (E&O) Insurance
  • Cyber Liability Insurance
  • Directors & Officers Insurance (D&O)
  • Employment Practices Liability Insurance (EPLI)
  • General Liability/Property Insurance