Security
Last Updated: November 9, 2025
Our Commitment to Security
At CustomEase, we take the security of your data seriously. This page outlines our security practices and measures to protect your information.
Security Infrastructure
Data Encryption
In Transit
- All data transmitted uses TLS 1.3 encryption
- HTTPS enforced for all connections
At Rest
- Database encryption using AES-256
- S3 bucket encryption for stored files (AES-256)
- Encrypted backups with secure key management
- Access tokens stored with database-level encryption
Network Security
- Web Application Firewall (WAF) protection
- DDoS protection
- Rate limiting to prevent abuse
- Regular security patches and updates
Application Security
Authentication and Access Control
- Secure OAuth 2.0 flow for app installation
- Token-based authentication with Shopify
- Session management with secure, HTTP-only cookies
- OAuth scopes:
read_products,write_products,read_orders,read_customers - Multi-tenant data isolation
- Multi-factor authentication (MFA) for administrative access
API Security
- HMAC-SHA256 signature verification for all Shopify webhooks
- API rate limiting
- Input validation and sanitization
- Protection against common attacks: SQL injection, XSS, CSRF, and timing attacks
- Secure file upload handling
App Proxy Security
- HMAC signature validation for all App Proxy requests
- Query parameter validation and sanitization
Data Protection Practices
Data Minimization
We only collect and store data necessary to provide our service:
- Store domain and basic configuration
- Product information you choose to make customizable
- Customer design data and customization content
- Order information: order numbers, customer names, email addresses, phone numbers, and shipping addresses (used only for order fulfillment and print delivery)
Customer Personal Information Protection:
- Customer names, emails, phone numbers, and shipping addresses are used solely for print order fulfillment
- NOT collected: Payment information
- Not used for marketing, advertising, or other purposes
- Encrypted in storage and transmission
- Automatically deleted when app is uninstalled
Data Isolation
- Multi-tenant architecture with strict data segregation
- Each store's data is isolated in the database
- No cross-tenant data access possible
Data Retention
- Active data retained while app is installed
- Automatic deletion upon app uninstallation
- Audit logs retained for compliance purposes as required by applicable law
Secure Data Deletion
When you uninstall our app, we automatically delete your data:
- All deletion requests are verified for authenticity
- All your data is automatically deleted, including sessions, product configurations, customer customizations, order records, and stored files
- Deletion operations are logged for compliance purposes
Retained Data (compliance only):
- Audit logs (retained for compliance purposes as required by applicable law)
- Webhook execution logs (retained for compliance purposes)
Compliance and Standards
GDPR Compliance
- Full compliance with EU General Data Protection Regulation
- Data subject rights supported (access, deletion, portability)
- Privacy by design and by default
Shopify Requirements
- Full compliance with Shopify's App Store requirements
- Mandatory GDPR webhooks implemented:
customers/data_request: Handle customer data access requestscustomers/redact: Delete customer personal data on requestshop/redact: Delete all shop data when merchant closes store
- APP_UNINSTALLED webhook for automatic cleanup
- HMAC verification for all webhook requests
Incident Response
In the event of a security incident:
- Affected users will be notified within 72 hours (GDPR requirement)
- We will work to contain, remediate, and review the incident
Incident Reporting
To report a security issue:
Email: support@customease.app
Contact Us
For security-related inquiries:
Email: support@customease.app
Website: https://customease.app
Last reviewed and updated: November 9, 2025