Legal
Security & Data Handling
Effective: June 1, 2026
We work with merchant catalogs, customer order data, and supplier feeds. Here's how we handle them.
Hosting and data residency
The SPT service runs on reputable, security-reviewed cloud infrastructure hosted in the United States. Customer data is stored in the United States unless we've agreed otherwise in writing.
Encryption
- In transit: All connections to the service and between the service and Shopify use TLS 1.2 or higher.
- At rest: Data at rest is encrypted using strong, industry-standard encryption.
Authentication and access
- Merchant access is via Shopify's OAuth flow; we don't store Shopify passwords.
- Internal access to production systems is restricted to a small number of engineers and requires SSO with MFA.
- We log production access and review the logs periodically.
Customer data
- We process catalog data, fitment data, price/inventory data, and order data on behalf of the merchant.
- We do not sell customer data.
- We do not use customer data to train machine-learning models.
Third-party processors
We use the following sub-processors:
- Cloud infrastructure provider (United States) — application hosting
- Managed database provider (United States) — encrypted data storage
- Static site host / CDN — marketing site delivery
- Google Analytics 4 — website analytics (marketing site only, not the app)
- Formspree — marketing site contact & demo form submissions
- EmailOctopus — newsletter signups and delivery
Backups and disaster recovery
- Encrypted backups are taken on a regular schedule with a defined retention window.
- We test restore procedures periodically.
Vulnerability management
- Dependencies are monitored continuously and patched on a defined cadence based on severity.
- Production infrastructure is scanned regularly; findings are tracked to resolution.
Incident response
We maintain an incident response process. In the event of a confirmed incident affecting customer data, we notify affected merchants without undue delay and follow up with a written summary.
Questions or coordinated disclosure
- General: security@standardpartstoolkit.com
- Coordinated vulnerability disclosure: security@standardpartstoolkit.com — please give us a reasonable window to respond before any public disclosure.