Cyber Security FAQs

Caleb Aviles
Caleb Aviles
  • Updated

Below are some frequently asked questions about our cyber security certifications and protocols. If you have any further questions please reach out to


Does your organization support compliance with the applicable Data Protection regulations, such as GDPR and CCPA?

A - Yes, we are GDPR and CCPA compliant.


Does your organization have SOC 2 Type II or ISO 27001:2013 certifications?

A - Our web-host, Heroku, maintains SOC and ISO certification. For more information visit the Heroku Compliance page.


Is vulnerability assessment and penetration testing performed regularly?

A - Yes, to ensure the quality of our testing, we have third-party providers specializing in this field perform rigorous vulnerability and pen testing on our platform annually.


Is data classified based on its sensitivity?

A - No. We don't store any CC information and the only. Personally identifiable information (PII) we store is shipping address, name, and e-mail.


Given that protection of our customer's data is our key concern, please provide details on how the data is securely transferred between Shopify and your systems and how it is then stored in your systems. Common methods used include API tokens for authentication, HTTPS TLS 1.2, and AES-128 for encryption.

A - We use API tokens and TLS 1.2. This is the required way of connecting to the Shopify API.


Please indicate the data retention period and the time required to complete our data deletion request on such notification from us.

A - Logs and other application activity data are stored for 30 days. Application data is stored indefinitely, but can be anonymized within 30 days of a request.


Does your organization provide OKTA SSO (SAML 2.0) with multi-factor authentication for your clients to access the dashboard?

A - No, multi-factor authentication is not available at this time. 


Is multi-factor authentication enforced for internal staff with access to client's data?

A - No, multi-factor authentication is not currently enforced. 


Are audit logging functions enforced to record privileged account activities?

A - All application activity is logged.


What is the Whiplash API Uptime?

A - Historically, the Whiplash API has had a 99.99% uptime. You can always check the current status by visiting the Whiplash API status page.


What is the Service Level Agreement (SLA) for uptime?

A - SLAs are negotiated for each account.