Skip to content
Security & Trust

Built privacy-first for Shopify merchants

ArgosAd is engineered to hold the minimum data needed to deliver programmatic advertising, encrypt what we do hold, and prove it. Below is a plain-English summary of our security and data-protection posture.

Last updated Β· May 11, 2026

Data we collect β€” and what we don't

We collect only what's required for ad attribution and audience modeling. Everything else stays in your Shopify admin.

What we collect

  • SHA-256-hashed customer email and phone (never plaintext)
  • Pseudonymous browser identifiers (cookie ID, fingerprint)
  • Shopify order data for conversion attribution
  • Hashed shop and merchant identifiers

What we never store

  • Plaintext email, phone, or postal address
  • Order notes, line-item personalization, or message content
  • Raw IP addresses on the bidder hot path (aggregated only)
  • Customer payment details β€” we never touch them

Encryption at rest and in transit

Every network hop is TLS 1.3. Every secret on disk is wrapped with AES-256-GCM before it reaches Postgres.

In transit
TLS 1.3 between browser, plugin, bidder, and database. No plaintext HTTP anywhere in the request path.
At rest (application layer)
Sensitive secrets are wrapped with AES-256-GCM (authenticated encryption) using a key held in our hosting provider's secret manager β€” never in source control.
At rest (disk layer)
Backed by managed Postgres providers with disk encryption always on (Neon, Supabase, AWS RDS, GCP Cloud SQL). Backups inherit disk-level encryption.
Tamper detection
AES-GCM's authentication tag fails closed on any bit-flip β€” there is no silent decode path.

Inter-service authentication

Even inside our own infrastructure, services don't trust the network β€” they verify every request.

Plugin β†’ bidder calls are signed with HMAC-SHA256 over a canonical JSON body (sorted keys, no whitespace) and verified server-side with a constant-time compare. The shared secret lives in our secret manager and supports overlap rotation. This protects against replay, tampering, and lateral movement if a single component is compromised.

Data retention

We delete data on a documented schedule. Retention is enforced by a weekly automated job β€” not a runbook that someone might forget.

  • Retry-queue jobs (completed)90 days
  • Audit logs365 days
  • Install nonces24 hours
  • Shopify sessionsUntil uninstall + 30 days
  • Shop configurationUntil uninstall + 30 days (or 48h after shop/redact)
  • Storefront cookie365 days (browser-side, auto-expires)

GDPR & CCPA compliance

We honor every Shopify-mediated privacy webhook and respond within the regulated SLAs.

customers/data_request
Customer asks for their data. We acknowledge within Shopify's contract and deliver the export within 30 days (GDPR Article 15).
customers/redact
Customer requests deletion 10 days after their last order. We purge identity records, conversions, and pixel events within the 30-day SLA (GDPR Article 17).
shop/redact
Fires 48h after uninstall. We delete the merchant's bidder shop, identities, conversions, and Redis state.
Data subject rights
Access, erasure, portability (JSON), and objection are all supported via Shopify's privacy portal.

Access controls & audit logging

Every read of a merchant secret or PII row flows through a single boundary in code that logs the access.

  • Single read boundary in the codebase β€” bidder credentials are decrypted in exactly one helper, audited on every call.
  • Least-privilege roles when the team grows (engineer / SRE / support / read-only).
  • MFA enforced on every system that holds production data: GitHub, Shopify Partners, hosting console, managed Postgres, secret manager.
  • Quarterly access reviews logged in our internal policy document.
  • Production database write access deliberately split from code-change permissions.

Incident response

If something goes wrong, we have a written playbook β€” not improvisation.

Detect & triage
Acknowledged within 30 minutes. Severity classified using a documented matrix (Sev 1–3).
Contain
Rotate compromised credentials first; cut affected sessions; pause the application if needed β€” before deep investigation.
Notify
GDPR Article 33 mandates supervisory-authority notification within 72 hours of operator awareness. CCPA notifications run in parallel under California Civil Code Β§ 1798.82. We notify Shopify Trust & Security within 24 hours of any confirmed Sev 1.
Post-mortem
Mandatory for Sev 1/2 β€” root-cause via 5-whys, timeline with measured durations, action items with owners and due dates.

Sub-processors & data residency

We're transparent about every third party that touches your data and where your data lives.

Sub-processors

  • Shopify β€” Data controller for merchant accounts and Shopify-mediated webhooks
  • Vercel / Render β€” Application hosting and edge delivery
  • Neon / Supabase / AWS RDS β€” Managed Postgres (with disk encryption always on)
  • Resend β€” Transactional email delivery (contact form, system notifications)

Data residency

We host EU-merchant data in EU regions where the managed provider supports it. The bidder's region is declared explicitly in the App Store privacy listing so reviewers and merchants can make an informed decision before installation.

Reach our security team

If you've discovered a vulnerability, received a suspicious message claiming to be ArgosAd, or have a privacy question, we want to hear from you.

Security & privacy contact

security@argosad.io

We acknowledge inbound security reports within 30 minutes and follow up substantively within 24 hours.

Need our Shopify form answers?

Protected Customer Data β€” pre-attested Q&A

We've published our verbatim answers to Shopify's 16 Protected Customer Data questions, with explanations sourced from the same internal record we attest to in the Partner Dashboard.

16 questions across 4 sections

Read the full Q&A
Security & Trust | ArgosAd