Security

Last updated: May 2026

How we protect your backup data

Application-layer encryption (AES-256-GCM)

Every backup archive is encrypted with AES-256-GCM before it is uploaded to cloud storage. This means your storage provider — Cloudflare R2 — receives only ciphertext and cannot read your backup data. Each backup uses a unique randomly generated IV, and the GCM authentication tag ensures any tampering is detected on restore.

This is a layer on top of Cloudflare R2's own storage-layer encryption (AES-256 at rest). Your data is encrypted twice: once by Stashback before upload, and once by the storage provider at rest.

Dual-region storage (Pro plans)

Pro plan backups are replicated in real time to both a US and an EU Cloudflare R2 data centre. A regional outage or object-level corruption in one region does not affect your ability to restore from the other.

Download security

Backup download links are HMAC-signed with a short expiry. Unsigned or expired links are rejected. Backup files are served in their encrypted form — decryption happens only at restore time, within the application.

Access controls

Only the Shopify store that created a backup can access or restore it. Cross-store access requires explicit claim verification via a private key shown only to the original store owner. Admin access to merchant data is restricted by role (administrator / support) and all admin actions are recorded in an immutable audit log.


Security Incident Response Policy

This policy describes how Stashback identifies, responds to, and communicates security incidents affecting merchant or customer data.

1. Scope

This policy applies to any security incident affecting Stashback systems, including unauthorized access to merchant backup data, credential or token exposure, data breach, or infrastructure compromise.

2. What constitutes an incident

3. Detection

Incidents may be identified via application error logs, infrastructure alerts, third-party security notifications, or merchant reports. To report a security concern, please use our contact form.

4. Response steps

Upon identifying a potential incident:

  1. Contain — revoke compromised credentials, isolate affected systems, or disable affected functionality as appropriate
  2. Assess — determine the nature, scope, and which merchants or data are affected
  3. Remediate — patch the vulnerability, rotate credentials, and restore normal operation
  4. Document — record the timeline, impact, and actions taken

5. Merchant notification

If an incident results in unauthorized access to a merchant's backup data, affected merchants will be notified within 72 hours of confirmation. Notification will be sent to the store owner's email address and will include: what data was affected, what actions were taken, and any steps merchants should take.

6. Regulatory notification

Where a data breach involves personal data and meets the reporting threshold under applicable law (including GDPR), we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

7. Shopify notification

We will notify Shopify of any confirmed security incident affecting merchant data in accordance with Shopify's Partner Program requirements.

8. Post-incident review

After resolving an incident, we will conduct a review to identify the root cause and implement controls to prevent recurrence.

9. Contact

To report a security concern, please use our contact form.