Security

Security At SR Innovations

Protecting merchant and customer data is a foundational requirement — not an afterthought. Here is how we build and operate our platform with security at every layer.

Security Overview

A multi-layer security posture designed to protect data at rest, in transit, and in use.

TLS 1.3 Encryption

Active

All data in transit is encrypted using TLS 1.3, the latest and most secure transport layer security protocol. Legacy TLS versions are explicitly disabled.

AES-256 at Rest

Active

Sensitive data stored in our databases is encrypted at rest using AES-256, the same standard trusted by governments and financial institutions worldwide.

SOC 2 Compliance

In Progress

We follow SOC 2 Type II controls for security, availability, and confidentiality. Our infrastructure is designed to meet enterprise-grade compliance requirements.

GDPR Ready

Active

Our platform supports GDPR compliance obligations including data portability, right to erasure, and lawful basis for processing merchant and customer data.

Webhook Security

Active

All outgoing webhooks are signed using HMAC-SHA256. Merchants can verify the authenticity of every event payload before processing it.

Shopify Security Standards

Certified

Our apps are built to Shopify's App Store security requirements, using OAuth 2.0 for authentication and requesting only the minimum required API scopes.

Data Protection

How We Handle Your Data

We collect only the minimum data necessary to provide our services. Here is exactly what we collect, how we store it, and how long we keep it.

What We Collect

  • Shopify store URL and access token (OAuth 2.0)
  • Subscription plan configurations and billing rules
  • Customer subscription status (not payment data)
  • Webhook event logs for debugging and audits
  • App usage analytics (aggregated, never individual)

How We Store It

  • All PII encrypted at rest with AES-256
  • Database hosted in ISO 27001-certified data centers
  • Access tokens stored in an encrypted secrets vault
  • Backups encrypted and replicated across availability zones
  • No plain-text secrets stored anywhere in our codebase

Retention Policy

  • Active merchant data: retained for the duration of subscription
  • Webhook logs: retained for 90 days
  • Deleted store data: purged within 30 days of uninstall
  • Analytics data: retained in aggregate for 2 years
  • Support conversations: retained for 1 year
Webhook Security

HMAC Signature Verification

Every webhook payload sent by our system is signed with an HMAC-SHA256 signature. Merchants can verify that a webhook genuinely originated from SR Innovations before processing it.

verify-webhook.tsNode.js
import crypto from "crypto";

export function verifyWebhook(
  payload: string,
  signature: string,
  secret: string
): boolean {
  const hmac = crypto
    .createHmac("sha256", secret)
    .update(payload, "utf8")
    .digest("base64");

  return crypto.timingSafeEqual(
    Buffer.from(hmac),
    Buffer.from(signature)
  );
}
Signature is sent in the X-SR-Hmac-SHA256 header
Use timing-safe comparison to prevent timing attacks
Reject any webhook that fails signature verification
Each merchant receives a unique webhook signing secret
Shopify Standards

App Store Requirements & OAuth 2.0

Our apps are reviewed and approved by Shopify's Partner team. We implement OAuth 2.0 for secure merchant authentication and request only the minimum necessary API scopes.

OAuth 2.0
Secure auth flow
Minimal Scopes
Least-privilege
HTTPS Only
No plain HTTP
App Review
Shopify certified
Responsible Disclosure

Security Vulnerability Disclosure Program

We believe in working collaboratively with the security community. If you discover a vulnerability in our platform, we want to hear from you.

Contact Us

Report security vulnerabilities to security@srinnovations.dev with a detailed description of the issue and steps to reproduce it.

48-Hour Response

We commit to acknowledging your report within 48 hours and will keep you updated as we investigate and remediate the issue.

Good Faith Protection

We will not take legal action against researchers who discover and report vulnerabilities in good faith. We ask that you give us reasonable time to remediate before public disclosure.

Recognition

We publicly acknowledge security researchers who help improve our platform security, with your permission, in our security hall of fame.

Out of Scope

Social engineering attacks, denial-of-service attacks, and vulnerabilities requiring physical access to devices are outside the scope of this program.

Certifications & Compliance

We continuously work toward industry-standard compliance certifications.

TLS 1.3Encryption in Transit
AES-256Encryption at Rest
SOC 2Type II (In Progress)
GDPRData Privacy
OAuth 2.0Authentication
ShopifyPartner Certified

Have a Security Question?

Our security team is available to answer questions about how we protect your data and our platform.

security@srinnovations.dev