ReturnMate

Security Overview

How ReturnMate secures your data — Shopify authentication, portal verification, encrypted credentials, signed URLs and GDPR handling.

4 min read
Last updated 14 July 2026

This page describes the security controls that exist in ReturnMate today, who provides them, and what remains your responsibility as a merchant.

Security provided by Shopify

ReturnMate is a Shopify-embedded app. Staff access to the ReturnMate admin is authenticated with Shopify session tokens — your team signs in with their Shopify accounts, and ReturnMate verifies the signed session token on every request.

This means:

  • There are no separate ReturnMate passwords to manage or leak.
  • Login security — including two-factor authentication — is managed at the Shopify account level. If you require 2FA, enforce it in your Shopify store's staff settings.
  • Staff accounts are auto-provisioned from Shopify. The first user becomes an Admin; later users start as Standard. See Users, Roles & Access.
  • Removing a staff member from your Shopify store removes their ability to authenticate to ReturnMate.

Security implemented by ReturnMate

Customer portal verification

Customers never have passwords either. Portal access requires a 6-digit email verification code or a single-use magic link sent to the email address on the Shopify order. Sessions are scoped to one store and one email address, and portal endpoints enforce per-endpoint rate limits (for example, verification-code requests are limited to 5 per minute).

Tenant isolation

Every record is scoped to your shop. Authenticated portal and admin requests take the shop identity from the verified token — not from anything in the request body — and cross-shop access attempts are rejected.

Credential and key storage

  • Carrier API credentials are encrypted at rest.
  • External API keys are shown once at creation and stored only as SHA-256 hashes.
  • Zendesk sidebar keys are likewise stored hashed.

Signed file access

Customer evidence photos and videos are uploaded via short-lived presigned URLs (15-minute expiry) into per-shop storage paths, and viewed through signed URLs with a 1-hour expiry. Uploaded files are stored in Asia-Pacific (Sydney, ap-southeast-2) region object storage.

Webhook integrity

  • Inbound Shopify webhooks are verified with Shopify's HMAC signature before processing.
  • Outbound webhooks to your systems are signed with an HMAC-SHA256 X-Webhook-Signature header. See the Webhooks Reference.

Audit trail

ReturnMate records an audit log of significant actions — RMA lifecycle changes, refunds, settings changes, user role changes and integration events — including who performed them. Each RMA also has a full activity timeline visible on the RMA detail page.

Privacy and data deletion (GDPR)

ReturnMate implements Shopify's mandatory privacy webhooks:

  • Customer data request / redact — customer personal information on RMAs (email, name, phone) is anonymised on request while operational records are retained.
  • Shop redact — after you uninstall, Shopify sends a shop-redaction request and ReturnMate hard-deletes the store's data. Uninstalling immediately deactivates the store and cancels billing; see Installing ReturnMate & Your Data.

Your responsibilities

  • Control who has staff access to your Shopify store — that controls who can reach ReturnMate.
  • Assign ReturnMate roles conservatively; refunds, settings and user management are Admin-only.
  • Treat External API keys and webhook secrets as secrets. Revoke a client in Settings → External API if a key may be exposed — revocation is immediate.
  • Keep your dangerous goods emergency contact details current in Settings → Dangerous Goods Compliance.

What ReturnMate does not currently provide

To be explicit, ReturnMate does not currently offer:

  • Native two-factor authentication (use Shopify's 2FA)
  • Single sign-on (SSO) integrations
  • IP allowlisting
  • Self-serve audit-log export

We do not publish compliance certifications on this page. If your procurement process requires security documentation, contact support@returnmate.io.

Was this helpful?
Contact Support