Security

Security is the product.

Detectly handles attribution data for real stores and real customers. We treat that responsibility seriously — here's how.

Encryption everywhere

All data in transit is protected with TLS 1.2+. All data at rest — including database and backups — is encrypted with AES-256. Shopify OAuth tokens and third-party credentials are additionally encrypted at the application layer.

Least-privilege access

Production access is restricted to a small group of engineers, protected by hardware-backed MFA, scoped to what's needed, and fully audit-logged. No shared accounts. No production access from personal devices.

Environment separation

Production, staging, and development are isolated at the network, credential, and data layer. Production data never flows to staging or local environments.

Secure development

Every change is peer-reviewed and type-checked. Dependencies are continuously scanned for CVEs. Static analysis and secret scanning run on every commit.

Shopify compliance webhooks

Detectly honors the mandatory customers/data_request, customers/redact, and shop/redact webhooks. Verified requests are processed within Shopify's required timeframes.

Incident response

We maintain a documented incident response plan covering detection, containment, eradication, recovery, and customer notification. Critical customer-impacting incidents are communicated within 72 hours.

Responsible disclosure

If you believe you've found a security vulnerability in Detectly, please email hello@getdetectly.com with a clear description and, if possible, proof-of-concept steps. We commit to acknowledging reports within 48 hours, to not pursuing legal action against good-faith researchers, and to crediting you publicly if you wish once the issue is resolved.

Compliance

  • Shopify Protected Customer Data — Detectly follows Shopify's PCD requirements, including data minimization, retention limits, and consent signal handling.
  • GDPR & UK GDPR — Detectly operates as a data processor for merchants; DPA available on request.
  • CCPA / CPRA — Detectly does not sell personal information.
  • SOC 2 — planned; roadmap available on request.

Request our DPA

Our Data Processing Addendum is available at /dpa or as a signed PDF on request from hello@getdetectly.com.