Data Security Policy

Updated June 30, 2026

Order Automator app has been reviewed and recognized by Shopify as trustworthy, fast, easy to use, and useful (see Built for Shopify section below).

We are small team of professional developers that have built dozens of apps and custom websites, and have years of experience managing public applications accessed by thousands of daily users.

Order Automator is owned by Automator Apps, LLC, a United States company that builds apps.

Embedded Shopify App

Order Automator is an embedded Shopify app, this means that the only way to install and access it is inside a Shopify store.

Order Automator only processes information from authorized requests (your Shopify store, and in some cases our own website).

Third-Party Marketplace Integrations

Order Automator has features to connect third-party marketplaces such as Amazon and TikTok Shop. Access to these marketplaces is only possible after you authorize the connection from within the app. Any data gathered on these marketplaces is the minimal required to perform the feature's function.

Built for Shopify

Order Automator has the official Built for Shopify badge, meaning that it's an embedded Shopify app and reviewed by Shopify as "Trustworthy, Fast, Easy to use, and Useful. These are the apps that have cleared Shopify's highest quality bar" (apps.shopify.com/stories/guide-built-for-shopify).

See the badge on our app store listing: apps.shopify.com/order-automator.

Hosting

Order Automator is hosted on Heroku, a world class cloud platform as a service that handles app infrastructure and security.

Heroku is PCI compliant and has multiple security measures in place. See details at heroku.com/policy/security.

Data Location

Order Automator production systems (application, database, and job queue) are hosted in the United States via Heroku (AWS infrastructure). Data accessed through our integration is processed and stored within these US-based systems.

Infrastructure and Service Providers

We use trusted providers to operate the app: Heroku (hosting, PostgreSQL, Redis), AWS (underlying infrastructure), Shopify (merchant platform).

Technical Safeguards

  • All API and webhook traffic uses HTTPS/TLS
  • Incoming webhooks (ex: from TikTok Shop) are verified using HMAC-SHA256 signatures before processing
  • OAuth tokens are stored securely and refreshed automatically
  • Sensitive parameters (passwords, tokens, secrets) are filtered from application logs
  • Code changes are reviewed before deployment to production

Access Control

Access to the Order Automator database and production server is restricted to the CTO and only strictly necessary authorized engineers.

Access to systems and data is granted on a least-privilege basis, each team member and integration is given only the minimum permissions required.

We do not have access to log into your Shopify store, but a team member may request it at times to help with configurations or investigate a problem in your store. When we request access, it's an official Shopify collaboration access with limited privileges.

Data is classified in our database as regular and sensitive. API credentials and tokens are filtered from application logs and accessible only to authorized personnel.

Data Storage

We do not store or use collected personal data other than for functionality that our app users accept and authorize.

When you delete Order Automator, it gets disconnected from your Shopify store, access gets revoked, and database records of your app configurations get deleted.

Incident Management

We have never had a serious security incident but have the following response plan in place.

Roles: The CTO is the primary incident owner and decision-maker. All team members are responsible for immediately reporting suspected incidents to the CTO.

Communication channels:

  • Internal: Direct notification to CTO via Slack and email
  • External (affected merchants): Email to the affected shop's contact address and notice posted at orderautomator.com
  • Contact us: support@orderautomator.com

Response steps:

  1. Immediately contain the affected area, rotate credentials, revoke compromised tokens, restrict access
  2. Scale down background jobs and restrict app access while investigating
  3. Identify the root cause and scope of affected data/users
  4. Revert to the last known good version of the app and database if needed
  5. Notify affected parties of what happened, what data was involved, and remediation steps
  6. Document the incident, update the response plan, and implement preventive measures

Our recovery time objective (RTO) is to restore service within 24 hours of a confirmed incident. Heroku's managed infrastructure provides database backups and rollback capability to support recovery.

Privacy and Compliance

We also comply with Shopify's mandatory privacy webhooks (customer data request, customer redact, shop redact). See our Privacy Policy for broader data practices.

Changes

We may update this data security policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons.

Contact Us

If you have any questions or want to opt out of certain features please contact us at orderautomator.com/contact or by mail using the details provided below:

Automator Apps, LLC
30 N Gould St Ste R
Sheridan, WY 82801