Security
Shopify is committed to maintaining the security of your data. In this guide, you'll learn about the protection and compliance measures that Oxygen has in place to ensure the security of your data, such as distributed denial-of-service (DDoS) protection and PCI compliance.
Authentication and access control
Anchor link to section titled "Authentication and access control"Private previews are protected with single sign-on (SSO) through the same Shopify ID SSO service that enables users to log into the stores, Partner Dashboards, and other Shopify resources that they have access to.
Only users that have access to the store through a Shopify ID, including the store's staff and collaborators, can access private previews of a Hydrogen storefront that's hosted through Oxygen and connected to the Hydrogen channel on that store.
Shopify employees also have access to private previews for support and debugging purposes, but this interaction is logged and can be audited.
DDoS protection
Anchor link to section titled "DDoS protection"A DDoS attack happens when a malicious user attempts to disrupt a server's operations by using multiple connected devices to overwhelm the server with fake traffic.
Oxygen leverages Cloudflare’s DDoS protection for all of its internal components as well as individual custom storefronts. For more information, refer to Cloudflare's DDoS protection documentation.
Oxygen executes custom storefront code inside V8 isolates on Cloudflare’s Workers platform. For more information, refer to Cloudflare's security documentation.
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard for organizations that store, process, or transmit credit card information.
Checkouts aren't performed through custom storefronts that run on Oxygen. As required by PCI, the minimum TLS version configured is 1.2. However, custom storefronts shouldn't store or receive banking data.
The GDPR (General Data Protection Regulation) is the European Union’s data privacy law. The GDPR requires companies to take steps to provide individuals with more visibility into and better control over how their personal data is used. It also requires that companies handle that data securely and responsibly.
Shopify believes strongly in protecting your customers' personal data as well as your own. For more information about Shopify's compliance with GDPR, refer to our Privacy documentation.
Infrastructure
Anchor link to section titled "Infrastructure"Storage of assets, workers, and metadata
Anchor link to section titled "Storage of assets, workers, and metadata"Assets are encrypted at rest and served globally through the Shopify content delivery network (CDN). Workers and environment variables are also backed up separately and encrypted at rest to enable disaster recovery by redeploying to Cloudflare.