Skip to main content
Charlie is designed with security-first principles. No customer PII, no payment data, minimal attack surface.

Data governance

Shopify-resident data (never accessed by Charlie)

  • Customer PII (names, emails, addresses)
  • Payment and billing information
  • Order details and transaction history
  • Product, variant, and inventory data

Charlie-resident data

Charlie stores only operational configuration:
  • Location settings
  • Safety stock rules
  • Session tokens
  • Job tracking
Charlie contains no PII, no customer data, no payment information.

Data ownership

AspectDetail
StorageAll merchant rules reside in Shopify metafields
Ownership100% merchant-owned
PortabilityNo proprietary formats
UninstallAll data persists in Shopify

Security controls

ControlImplementation
Data isolationComplete separation between merchants, database queries filtered by shop
EncryptionAt rest and in transit
Webhook verificationHMAC signature verification for all Shopify webhooks
Minimal permissionsRead-only access except for metafields
GDPR complianceAutomated handlers for deletion and export requests

Certification status

Charlie does not currently hold SOC2 certification. Mitigating factors:
  • No customer PII stored in Charlie systems
  • No payment data processed or retained
  • Cloudflare (infrastructure provider): SOC2 Type II certified
  • Shopify (platform): SOC2 Type II certified

Risk summary

RiskAssessment
Data breach exposureMinimal — no customer PII in Charlie systems
Payment data riskNone — all transactions remain within Shopify
Vendor lock-inLow — merchant-owned metafields, no proprietary formats
IT burdenZero — no integration, maintenance, or technical debt

Integration

How Charlie integrates with Shopify

Scalability

Performance and availability