How We Secure Data Between Endpoints
We use SSL to secure the communication between our endpoints, using TLS 1.2, a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM).
You can view the details on this connection by visiting https://api-gateway.shiphero.com, opening up the browser inspector (we recommend Chrome) and viewing the certificate details.
How We Prevent Spoofing Of Requests From Shopify
Shopify Webhooks provide HMAC authentication, which ShipHero uses to authenticate expected Shopify requests. Details on how HMAC authentication is implemented between Shopify Webhooks and ShipHero endpoints can be found here: https://help.shopify.com/api/getting-started/webhooks#verify-webhook .
How We Protect Data
ShipHero is very sensitive to what data is stored. No customer credit card information is stored directly on the ShipHero platform. Sensitive data such as account passwords are hashed and never stored as clear text. Internal security policy requires ShipHero engineers to only communicate on DB infrastructure with authenticated secure connections, as well as read-only access unless given specific write access rights. All data access is logged in accordance with PCI Level 4 recommended security practices, as well as PCI Level 1 hosting infrastructure provided by AWS.