Service Organization Controls (Soc2) (Type II) Trust Services Principles

Privacy Shield

EU-US Privacy Shield


Cloud Security Alliance

Key features

Product security Learn More
Network and application security Learn More
Additional Security features Learn More

Product security


Single Sign-on (SSO) allows you to authenticate users in your systems without requiring them to enter additional login credentials. This Enterprise level feature will enable the platform to support SSO on a dedicated Cluster and Enterprise Plan.


We enable permission levels within the app to be set for your Shopify users automatically. Permissions can be set to include app settings, billing, and Paypal account managers' direction from the local Shopify account set. This feature is optimized for Shopify Plus type of stores.

Password and Credential Storage

Trackipal Doesn't store or cash any Paypal or Shopify Password. All authentication is happening using the Oauth federation on Paypal and Shopify stores. It is not possible to have client accounts leaked even in the situation of compromised Platform


We have an uptime of 99.9% or higher. We run on high availability AWS Architecture and multi-region deployment, and all crone Jobs are redundant at the system level.

Customer Best Practices

To prevent Shopify account logins from attackers, Shopify's security systems detect and lock account access when unusual activity is detected. In these cases, you need to confirm your identity as part of the login process.

If you haven't logged in to your account for three months or more, then you need to confirm your identity as part of the login process.

Network and application security

Data Hosting and Storage

TrackiPalSync services and data are hosted in Amazon Web Services (AWS) facilities (us-east-1) in the USA. For Clients located in Europe, we have a multi-region capability to support GDPR compliance and use AWS Facility in Europe as the central Data warehousing.

Failover and DR

TrackiPalSync was built with disaster recovery in mind. All of our infrastructure and data are spread across 3 AWS availability zones and will continue to work should any one of those data centers fail.

Virtual Private Cloud

All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.

Back Ups and Monitoring

On an application level, we produce audit logs for all activity, ship logs to Graylog for analysis and use S3 for archival purposes.

All actions taken on production consoles or in the Trackipal application are logged.

Permissions and Authentication

Access to customer data is limited to authorized employees who require it for their job.

TrackiPalSync is served 100% over https. TrackiPalSync runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on TrackiPalSync’s network.

We have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies on GitHub, Google, AWS and Intercom to ensure access to cloud services are protected.


All data sent to or from TrackiPalSync is encrypted in transit using 256 bit encryption.

Our API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled.

We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.

We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.

TrackiPalSync uses third party security tools to continuously scan for vulnerabilities. Our dedicated security team responds to issues raised.

Twice yearly we engage third-party security experts to perform detailed penetration tests on the TrackiPalSync application and infrastructure.

TrackiPalSync also runs a ‘bug bounty’ program with Bugcrowd, which gives security researchers a platform for testing and submitting vulnerability reports.

Incident Response

TrackiPalSync implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.

Additional Security features


All employees complete Security and Awareness training annually.


TrackiPalSync has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees

Employee Vetting

TrackiPalSync performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.


All employee contracts include a confidentiality agreement.

PCI Obligations

All payments made to TrackiPalSync go through our partner, Shopify. Details about their security setup and PCI compliance can be found at Shopify’s security page.