Legal · Effective May 1, 2026

Security

How we keep your merchants' data safe.

Template notice. This document is provided as a reference and does not constitute legal advice. Adapt it with your legal counsel before relying on it for production use.

1. Certifications

SOC 2 Type II

ISO 27001

PCI DSS Level 1

GDPR · CCPA · CPRA

2. Defense in depth

Encryption

AES-256 at rest, TLS 1.3 in transit. Customer-managed keys on Plus.

Access control

Least-privilege, MFA required for all employees, hardware keys for production.

Vulnerability mgmt

Continuous dependency scanning, quarterly penetration tests by independent firms.

Audit logging

All admin actions and API requests recorded with retention up to 7 years.

Incident response

24/7 on-call rotation, documented runbooks, post-mortems published within 5 days.

Business continuity

Multi-region replication, hourly snapshots, quarterly disaster-recovery drills.

3. Data residency

Iowa, Belgium and Sydney regions available. Plus customers can pin all data to a specific region.

4. Bug bounty

We pay up to $50,000 for critical vulnerabilities. Report at security@shoppio.pro or via HackerOne.

5. Contact

Security questions: security@shoppio.pro. PGP key fingerprint available on request.

Questions? Email legal@shoppio.pro.