Security

The short version.

A summary of how Shelf protects merchant data. For the detail your security team needs — review questionnaires, control summaries, or a live walkthrough — email us.

Tenancy isolation

Shelf is multi-tenant. Every database query is scoped by the merchant ID derived from the authenticated Shopify session. Cross-merchant reads are not possible through the application surface.

Secrets management

Credentials — database access, third-party API keys, session secrets — are stored in AWS Secrets Manager. Nothing lives in committed code, config files, or environment files.

Data in transit and at rest

See Infrastructure for the encryption posture. Short version: modern TLS on the wire, AES-256 on sensitive columns at the application layer, storage-layer encryption on top of that.

Responsible disclosure

Report a security issue at security@shelfplugin.com. We review reports promptly and coordinate with the reporter on timing.

Want more detail?

For security review questionnaires, SOC 2-style control summaries, a walkthrough of our controls, access-control documentation, or anything else your security team needs — reach out at security@shelfplugin.com. We'll respond with the appropriate level of detail for your review.