Security Overview
How ReturnMate secures your data — Shopify authentication, portal verification, encrypted credentials, signed URLs and GDPR handling.
This page describes the security controls that exist in ReturnMate today, who provides them, and what remains your responsibility as a merchant.
Security provided by Shopify
ReturnMate is a Shopify-embedded app. Staff access to the ReturnMate admin is authenticated with Shopify session tokens — your team signs in with their Shopify accounts, and ReturnMate verifies the signed session token on every request.
This means:
- There are no separate ReturnMate passwords to manage or leak.
- Login security — including two-factor authentication — is managed at the Shopify account level. If you require 2FA, enforce it in your Shopify store's staff settings.
- Staff accounts are auto-provisioned from Shopify. The first user becomes an Admin; later users start as Standard. See Users, Roles & Access.
- Removing a staff member from your Shopify store removes their ability to authenticate to ReturnMate.
Security implemented by ReturnMate
Customer portal verification
Customers never have passwords either. Portal access requires a 6-digit email verification code or a single-use magic link sent to the email address on the Shopify order. Sessions are scoped to one store and one email address, and portal endpoints enforce per-endpoint rate limits (for example, verification-code requests are limited to 5 per minute).
Tenant isolation
Every record is scoped to your shop. Authenticated portal and admin requests take the shop identity from the verified token — not from anything in the request body — and cross-shop access attempts are rejected.
Credential and key storage
- Carrier API credentials are encrypted at rest.
- External API keys are shown once at creation and stored only as SHA-256 hashes.
- Zendesk sidebar keys are likewise stored hashed.
Signed file access
Customer evidence photos and videos are uploaded via short-lived presigned URLs (15-minute expiry) into per-shop storage paths, and viewed through signed URLs with a 1-hour expiry. Uploaded files are stored in Asia-Pacific (Sydney, ap-southeast-2) region object storage.
Webhook integrity
- Inbound Shopify webhooks are verified with Shopify's HMAC signature before processing.
- Outbound webhooks to your systems are signed with an HMAC-SHA256
X-Webhook-Signatureheader. See the Webhooks Reference.
Audit trail
ReturnMate records an audit log of significant actions — RMA lifecycle changes, refunds, settings changes, user role changes and integration events — including who performed them. Each RMA also has a full activity timeline visible on the RMA detail page.
Privacy and data deletion (GDPR)
ReturnMate implements Shopify's mandatory privacy webhooks:
- Customer data request / redact — customer personal information on RMAs (email, name, phone) is anonymised on request while operational records are retained.
- Shop redact — after you uninstall, Shopify sends a shop-redaction request and ReturnMate hard-deletes the store's data. Uninstalling immediately deactivates the store and cancels billing; see Installing ReturnMate & Your Data.
Your responsibilities
- Control who has staff access to your Shopify store — that controls who can reach ReturnMate.
- Assign ReturnMate roles conservatively; refunds, settings and user management are Admin-only.
- Treat External API keys and webhook secrets as secrets. Revoke a client in Settings → External API if a key may be exposed — revocation is immediate.
- Keep your dangerous goods emergency contact details current in Settings → Dangerous Goods Compliance.
What ReturnMate does not currently provide
To be explicit, ReturnMate does not currently offer:
- Native two-factor authentication (use Shopify's 2FA)
- Single sign-on (SSO) integrations
- IP allowlisting
- Self-serve audit-log export
We do not publish compliance certifications on this page. If your procurement process requires security documentation, contact support@returnmate.io.