FlowPort

High-volume Shopify operations

Public support, privacy, terms, and review resources for merchants and Shopify reviewers.

Security

Security controls and incident response for FlowPort.

This page summarizes the current hosted controls used for protected customer data access, audit logging, retention, and security-incident handling.

Security posture

Make protection, retention, and incident response visible enough that reviewers and merchants can understand the hosted stack quickly.

Security pages are part of trust, not paperwork. FlowPort needs to show how protected data is limited, how artifacts are controlled, and how incidents would be handled.

Protected data use

Merchant-requested customer and order workflows

Artifact access

Signed, expiring download links

Security contact

dhookster@gmail.com

Access controls

Protected customer data stays limited to scoped import-export operations and logged access paths.

Audit signals

Protected-data access and compliance events remain visible enough for operational review.

Incident response

The hosted app has a stated path for triage, containment, investigation, and merchant notice.

Access Controls

Protected data handling

FlowPort limits protected customer data access to merchant-requested import and export workflows.

Protected customer data is used only for merchant-requested customer and order workflows
Artifact downloads use signed, expiring links
Hosted PostgreSQL is private and encrypted at rest
Hosted object storage uses server-side encryption
Protected-data access events are logged for customer and order job activity

Retention

Storage and deletion posture

The hosted stack keeps time-bounded access paths and short-lived artifact retention.

Customer data is retained only where needed to complete import, export, validation, and artifact-delivery workflows for the installing merchant.

Generated artifacts on the hosted stack are retained for 7 days, and compliance webhook handling records only minimal audit metadata needed to trace requests.

Incident Response

Response policy

FlowPort follows a documented response path for suspected security events involving merchant or customer data.

Triage begins as soon as a security report is received through the published support or privacy contact
Access can be restricted by rotating app secrets, revoking signed artifact access, and isolating affected services
Relevant logs and audit events are preserved to support investigation and remediation
Merchants are notified when a confirmed incident requires customer-data impact disclosure

Security contact

dhookster@gmail.com