INTRODUCTION

The New Standard for Shopify Loyalty

Transform your customers into a high-octane affiliate force.

Complete control over your reward ecosystem.

Status

Shopify Verified

Security Overview

NestJS · Node.js · TypeScript February 2026

1. Application Overview

Reward Me is a Shopify-embedded application that enables merchants to run affiliate and rewards programs. It is distributed through the Shopify App Store and operates as a server-side application hosted on a dedicated server.

2. Architecture

The application follows a clean, layered architecture (Domain → Application → Infrastructure) with strict separation of concerns. All business logic is isolated from framework code.

All external traffic is routed through a TLS-terminating reverse proxy. The application process is never directly exposed to the internet.
Asynchronous operations are handled via a durable message queue, ensuring reliable processing without data loss.
The application uses Command/Query Responsibility Segregation (CQRS), which limits the scope of any single operation and simplifies security auditing.

3. Authentication & Authorization

Shopify App Authentication

The app implements Shopify's standard OAuth 2.0 installation flow.
All inbound requests from Shopify are authenticated using HMAC-SHA256 signature verification with timing-safe equality checks to prevent timing attacks.
Embedded app sessions use short-lived Shopify-issued JWTs, verified on every request and never persisted.
OAuth state parameters are cryptographically randomised to prevent CSRF attacks.

API Key Authentication

Third-party integrations authenticate via API keys scoped to a specific shop.
API keys are stored as one-way hashes. The plain-text key is shown only once at creation and cannot be retrieved afterwards.
Keys support optional expiry dates and can be deactivated or revoked by the merchant at any time.
Each key records its last-used timestamp for audit purposes.

Permissions

API keys carry explicit, scoped permissions (e.g., affiliates:read, orders:write). Every protected endpoint declares its required permissions, enforced server-side on every request.

Webhook Verification

All inbound Shopify webhooks are verified using HMAC-SHA256 against the raw request body before any processing occurs. Unverified payloads are rejected immediately.

Input Validation

All incoming request payloads are validated against strict DTOs before reaching business logic. Responses are serialised to expose only explicitly declared fields, preventing accidental data leakage.

4. Data Encryption & Storage

In Transit

All external communication is encrypted using HTTPS with TLS certificates issued by a trusted CA, with automatic renewal. No sensitive data is transmitted over unencrypted channels.

At Rest — Database

The MySQL database uses tablespace encryption for all application tables, including transaction logs. Data files on disk are encrypted independently of the application.

At Rest — Application Level

Sensitive entity fields are additionally encrypted at the application layer using strong symmetric encryption before being written to the database, providing defence-in-depth independent of database-level controls.

API Keys & Access Tokens

API keys are stored as one-way hashes and cannot be recovered from the database.
Shopify OAuth access tokens are encrypted at rest and never exposed to browser clients.

5. API Security & Abuse Prevention

Rate limiting is applied globally across all API endpoints.
An automatic abuse-prevention system monitors request patterns and can block sources that repeatedly violate rate limits. Blocks persist across application restarts.
Trusted sources (e.g., internal services) can be whitelisted to bypass rate limiting.
Malicious request patterns (e.g., path traversal attempts) are detected and silently rejected.
All database queries use parameterised statements, preventing SQL injection.

6. Logging & Observability

Log verbosity is configurable per environment. Production environments log errors, warnings, and informational events only — no sensitive debug output.
Server-side errors are logged with sufficient context for rapid diagnosis.
Logs are rotated automatically to prevent unbounded disk usage.

7. Privacy & GDPR Compliance

Mandatory GDPR Webhooks

Webhook	Purpose
`customers/data_request`	Respond to a customer's request for their personal data
`customers/redact`	Delete a customer's personal data upon request
`shop/redact`	Delete all shop data following app uninstallation

Data Minimisation

The app requests only the Shopify API permission scopes necessary for its stated functionality. No excess scopes are declared.

Data Residency

Merchant and customer data is stored on the operator's dedicated infrastructure.
No personal data is shared with third-party analytics or tracking services.

8. Infrastructure

The server attack surface is minimised via firewall rules that restrict open ports to only what is required.
Remote access to the server is via SSH only.
Regular log rotation and cleanup processes are in place.
Encryption keys are backed up separately from data and stored securely.

9. Incident Response

Anomalies are surfaced through structured error logging.
Individual API keys can be revoked instantly by the merchant.
Shopify access can be revoked at any time via the Shopify Partner Dashboard.
Suspected malicious sources can be blocked immediately via the abuse-prevention system.

This document provides a summary of the security controls in place for Reward Me. Detailed implementation information is available on request under NDA.

The New Standard for Shopify Loyalty

Cookie Policy

Security Overview

1. Application Overview

2. Architecture

3. Authentication & Authorization

Shopify App Authentication

API Key Authentication

Permissions

Webhook Verification

Input Validation

4. Data Encryption & Storage

In Transit

At Rest — Database

At Rest — Application Level

API Keys & Access Tokens

5. API Security & Abuse Prevention

6. Logging & Observability

7. Privacy & GDPR Compliance

Mandatory GDPR Webhooks

Data Minimisation

Data Residency

8. Infrastructure

9. Incident Response

Privacy Policy

1. Introduction

2. Information We Collect

3. How We Use Your Information

4. Information Sharing and Disclosure

5. Data Security

6. Data Retention

7. Your Rights

8. Cookies and Tracking Technologies

9. Third-Party Links

11. International Data Transfers

12. Changes to This Privacy Policy

13. Contact Us