ShipHero prioritizes the security of your data through rigorous encryption standards, authentication protocols, and strict internal access controls. Our infrastructure is designed to meet industry-standard security practices for both data-in-transit and data-at-rest.
Encryption Between Endpoints
ShipHero utilizes SSL (Secure Sockets Layer) to secure communication between all endpoints. We implement high-level encryption standards to ensure data remains private during transmission.
| Security Component | Standard Implemented |
| Protocol | TLS 1.2 |
| Key Exchange | ECDHE_RSA with P-256 |
| Cipher | AES_128_GCM |
You can verify these connection details by visiting https://api-gateway.shiphero.com and viewing the certificate details in your browser’s inspector (recommended: Google Chrome).
Authentication and Spoofing Prevention
To ensure requests from external platforms are legitimate, ShipHero uses HMAC (Hash-based Message Authentication Code). This is specifically utilized for Shopify Webhooks to verify that every incoming request originates from Shopify and has not been tampered with.
For technical details on this implementation, refer to the Shopify Webhook Verification Guide.
Data Protection and Storage Policies
ShipHero adheres to strict data minimization and storage practices to protect sensitive information:
- Credit Card Data: No customer credit card information is stored directly on the ShipHero platform.
- Password Security: All account passwords are hashed and are never stored as clear text.
- Internal Access: ShipHero engineers communicate with database infrastructure only via authenticated secure connections. Access is restricted to Read-Only unless specific write permissions are granted.
- Compliance: Data access is logged according to PCI Level 4 recommended practices. Our hosting infrastructure is provided by AWS, which maintains PCI Level 1 certification.