Trust

Security

Last updated: May 8, 2026

Rankmore is built for merchants who care about the security of their store. This page summarizes our security posture across infrastructure, application, data, and operations. Read alongside our Privacy Policy and DPA.

1. Infrastructure

• Hosting: Application workloads run on Vercel (US/EU regions) and Cloudflare Workers. The primary database is Neon Postgres, hosted in AWS.
• Network isolation: All production services communicate over TLS 1.2+ exclusively. No direct database access from the public internet — connections are pooled through Neon's authenticated proxy.
• Edge protection: Cloudflare provides DDoS mitigation, bot management, and WAF rules in front of public surfaces.
• Secrets management: API keys and database credentials are stored as encrypted environment variables in our hosting providers, never committed to source control. Rotation procedures are documented internally.

2. Authentication & access

• Merchant authentication: Rankmore is a Shopify embedded app — merchants authenticate via Shopify OAuth. We do not store passwords.
• Session security: Shopify session tokens are validated on every request via JWT signature verification using the app's client secret.
• Internal access: Production access is restricted to authorized personnel under the principle of least privilege. SSO with mandatory MFA is enforced for all administrative consoles (Shopify Partners, Vercel, Cloudflare, Neon, GitHub).
• Audit logging: Privileged actions on production infrastructure are logged by the underlying provider and retained per provider defaults.

3. Application security

• Input validation: All API inputs are validated with strict Zod schemas before reaching business logic.
• Output escaping: Server-rendered HTML uses React's automatic escaping. SQL queries are parameterized via Drizzle ORM — no raw string concatenation.
• CSRF: Shopify App Bridge session tokens authenticate every state-changing request.
• Dependency hygiene: Dependencies are pinned and reviewed. We monitor advisories via GitHub Dependabot and patch high-severity vulnerabilities promptly.
• Code review: All changes to production code go through pull-request review and automated typecheck/lint/test gates before merge.

4. Data protection

• In transit: TLS 1.2+ for all external traffic; HSTS enforced on rankmore.app.
• At rest: Database storage is encrypted at rest using AES-256 (managed by Neon). Object storage (Cloudflare R2) is encrypted at rest.
• Data minimization: Rankmore reads product, collection, and shop data necessary to generate SEO content. We do not request or store customer PII, order data, or payment data via Shopify scopes.
• Backups: Neon provides point-in-time recovery within the retention window of our plan; we do not export production backups to third-party storage.

5. Shopify-specific protections

• Mandatory webhooks: We implement Shopify's mandatory GDPR webhooks (customers/data_request, customers/redact, shop/redact) — although we do not collect customer data, the endpoints respond correctly per Shopify requirements.
• Webhook verification: All Shopify webhook payloads are verified with HMAC-SHA256 against the app's shared secret before processing.
• Scope minimization: We request only the minimum OAuth scopes required for the app to function (read/write products, content, online store pages and articles, themes for redirects, marketing for press releases).
• Token storage: Shopify access tokens are stored encrypted in our database and never exposed to the client.

6. Sub-processors

Rankmore relies on a small set of vetted sub-processors to deliver the service. The full, current list is maintained in our DPA. Each is bound by contractual data-protection terms.

7. Vulnerability disclosure

If you believe you've found a security vulnerability in Rankmore, please report it responsibly:

• Email: security@rankmore.app
• Please include reproduction steps and any proof-of-concept materials.
• We will acknowledge within 3 business days and aim to remediate critical issues within 30 days.
• We do not currently operate a paid bug-bounty program, but we publicly credit researchers who report responsibly (with permission).

Please do not perform automated scanning, denial-of-service testing, or social-engineering attacks against Rankmore staff or merchants.

8. Incident response

We maintain an internal incident-response runbook covering detection, containment, eradication, recovery, and post-mortem. In the event of a personal data breach, affected merchants will be notified without undue delay and within 72 hours of becoming aware, in line with our DPA and applicable law.

9. Business continuity

Rankmore's stateless application tier auto-scales across multiple availability zones via our hosting providers. Long-running content jobs are durable workflows (Inngest) that resume safely after transient failures.

10. Compliance

• GDPR & UK GDPR: We act as a data processor for merchant data and a controller for our own account data. See our Privacy Policy and DPA.
• CCPA / CPRA: We do not sell or share personal information for cross-context behavioral advertising.
• Shopify App Store: Rankmore complies with Shopify's API License & Terms of Use, Acceptable Use Policy, and Protected Customer Data requirements.
• SOC 2: We are not currently SOC 2 audited. We follow industry best practices and may pursue formal certification as the business grows.

11. Contact

Security questions? Email security@rankmore.app. General inquiries: hello@rankmore.app.