Last updated: May 2026
Every backup archive is encrypted with AES-256-GCM before it is uploaded to cloud storage. This means your storage provider — Cloudflare R2 — receives only ciphertext and cannot read your backup data. Each backup uses a unique randomly generated IV, and the GCM authentication tag ensures any tampering is detected on restore.
This is a layer on top of Cloudflare R2's own storage-layer encryption (AES-256 at rest). Your data is encrypted twice: once by Stashback before upload, and once by the storage provider at rest.
Pro plan backups are replicated in real time to both a US and an EU Cloudflare R2 data centre. A regional outage or object-level corruption in one region does not affect your ability to restore from the other.
Backup download links are HMAC-signed with a short expiry. Unsigned or expired links are rejected. Backup files are served in their encrypted form — decryption happens only at restore time, within the application.
Only the Shopify store that created a backup can access or restore it. Cross-store access requires explicit claim verification via a private key shown only to the original store owner. Admin access to merchant data is restricted by role (administrator / support) and all admin actions are recorded in an immutable audit log.
This policy describes how Stashback identifies, responds to, and communicates security incidents affecting merchant or customer data.
This policy applies to any security incident affecting Stashback systems, including unauthorized access to merchant backup data, credential or token exposure, data breach, or infrastructure compromise.
Incidents may be identified via application error logs, infrastructure alerts, third-party security notifications, or merchant reports. To report a security concern, please use our contact form.
Upon identifying a potential incident:
If an incident results in unauthorized access to a merchant's backup data, affected merchants will be notified within 72 hours of confirmation. Notification will be sent to the store owner's email address and will include: what data was affected, what actions were taken, and any steps merchants should take.
Where a data breach involves personal data and meets the reporting threshold under applicable law (including GDPR), we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
We will notify Shopify of any confirmed security incident affecting merchant data in accordance with Shopify's Partner Program requirements.
After resolving an incident, we will conduct a review to identify the root cause and implement controls to prevent recurrence.
To report a security concern, please use our contact form.