Security Overview

WarpWare XEO

Effective Date: May 10, 2026 Last Updated: May 10, 2026

Our Approach to Security

WarpWare uses industry-standard safeguards to protect Merchant data, including encryption in transit (TLS), access controls limited to authorized maintainers, and vendor due diligence for our service providers. We notify Shopify of security incidents per our obligations under the Shopify API Terms, and we will notify affected merchants without undue delay (and consistent with applicable law). No method of transmission over the Internet is 100% secure.

Data We Process

What We Access

• Product information (titles, descriptions, images, categories, tags)
• Product variants, pricing, and (with the read_inventory scope) stock quantities
• Store name, domain, and configuration
• Usage and error logs to operate the App

What We Do Not Access

This App is classified as Level 1 under Shopify’s Protected Customer Data Policy. We do NOT access customer names, email addresses, phone numbers, physical addresses, or payment information. Merchants who opt in to A/B testing grant the optional read_orders scope, in which case we receive the orders/create webhook and extract only product IDs, quantities, and totals required for conversion attribution; customer identifiers are discarded on receipt.

How We Protect Your Data

• Encryption in transit: TLS for all external connections (Shopify API, AI inference providers, our App).
• Authentication: Shopify OAuth 2.0; API tokens stored encrypted and never logged in plain text.
• Webhook integrity: HMAC verification on all Shopify webhooks.
• Access controls: Production access limited to authorized maintainers on a least-privilege basis.
• Dependency hygiene: Automated dependency vulnerability scanning.
• Sub-processors: We use third-party service providers (cloud hosting, AI inference, error and log monitoring, analytics), bound by confidentiality and data protection obligations. A current list is available on request to privacy@warpwareworks.com.

AI Processing

We send only product data (titles, descriptions, categories, tags, store name) to our AI inference provider — never customer personal information, order PII, or payment information. Our AI provider does not use API data to train models.

All AI-generated content requires your manual review and approval before publication.

Incident Response

If we discover a security incident affecting Merchant data, we will:

1. Investigate and contain the issue.
2. Notify affected merchants without undue delay (and consistent with applicable law), with a description of what happened, what data was affected, and steps being taken.
3. Notify Shopify per our obligations under the Shopify API Terms.

Reporting a Vulnerability

If you discover a security vulnerability, please email security@warpwareworks.com with the subject “Security Vulnerability” and a detailed description. We appreciate responsible disclosure.

Data Retention and Deletion

When you uninstall the App, Shopify sends the shop/redact webhook. We delete production Merchant data shortly thereafter (typically within 48 hours), with full removal from active backups within 30 days and from archived backups within 90 days. We may retain anonymized aggregated usage statistics, plus minimal records required by law (e.g., tax records).

Contact

Security questions: security@warpwareworks.com Privacy questions: privacy@warpwareworks.com

Related Documents

• Privacy Policy
• Terms of Service
• Shopify Security

Version: 1.0 Effective: May 10, 2026 Last Updated: May 10, 2026 Contact: security@warpwareworks.com