// Trust & Security Report
Shopify Inc.
Shopify AI / Sidekick / Shopify Magic
Certifications held
3
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on shopify.com“We invested significant time and money to obtain our Level 1 PCI certification and that our certification covers your store, its shopping cart and web hosting. All Shopify stores using our platform are automatically PCI compliant by default.”
Verify on shopify.com“Shopify hat SOC 2 Typ II- und SOC 3-Berichte fur die Services erhalten, die es seinen Kunden bereitstellt. [Shopify has received SOC 2 Type II and SOC 3 reports for the services it provides to its customers.]”
Verify on shopify.com“SOC 3 Report (April 1, 2025 to March 31, 2026) - provides assurance over the organization's system and company-level controls. Publicly accessible.”
> Show 2 unconfirmed / not-held certifications
source: shopify.comNo ISO 27001 certification listed on Shopify's compliance reports page or security page. Only PCI DSS and SOC reports are published.
source: shopify.comNo HIPAA certification or BAA offering mentioned on Shopify's security or compliance pages.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not stated
Data region
Primary: Canada (HQ, Ottawa). EU/EEA/UK: Shopify International Ltd., Dublin, Ireland. Asia/ANZ: Shopify Commerce Singapore Pte. Ltd. Data transfers outside EWR protected by Standard Contractual Clauses and Canadian adequacy decision (EU Commission).
Shopify explicitly states: 'Shopify doesn't use any merchant's store-level data to power Shopify Magic for other merchants.' Store data is not used to train foundation models. Shopify Magic uses a merchant's own store data only to return results to that same merchant. Anonymized data may be retained for service improvement per the privacy policy.
// Security controls
Bug Bounty Program
Dedicated program on HackerOne (hackerone.com/shopify and shopify.com/bugbounty). Payouts up to $200,000. Sidekick and AI features were specifically in scope for a micro-live hacking event in September 2025.
shopify.comPenetration Testing
Annual on-site assessments by a Qualified Security Assessor (QSA) for PCI DSS Level 1. Quarterly external ASV vulnerability scans (most recent: April 8, 2026; prior: February 18, 2026; December 26, 2025).
shopify.comIndependent Audits
SOC 2 Type II audit conducted by independent external auditor. PCI DSS AoC valid June 27, 2025 to June 27, 2026, completed by a QSA annually.
shopify.comEncryption
Implied by PCI DSS Level 1 compliance (requires encryption of cardholder data in transit and at rest). No specific encryption algorithm details published on the security page.
shopify.comTransparency Report
Published annually. Documents legal requests for merchant/customer/partner information, evaluation process, and fulfillment rates.
shopify.comAccess Controls (Sidekick)
Sidekick respects store access controls: team members only interact with data and features they are authorized to use.
shopify.com// Products & data scope
data: Has direct access to merchant's Shopify admin data (sales, orders, inventory, traffic, products, collections). Conversations stored and used to provide personalized responses over time. Data NOT shared with other merchants or used to train foundation models.
Embedded in the Shopify admin dashboard. Included in Shopify subscription plans. Not a separate product with its own privacy policy - governed by Shopify's overarching privacy/security framework and PCI DSS Level 1 / SOC 2 Type II coverage.
data: Uses merchant's own store data for AI-driven content, predictions, and automation features. Store-level data not used to power Shopify Magic for other merchants. Built on a mix of Shopify proprietary data and third-party LLMs (providers not disclosed).
Sidekick is the conversational interface for Shopify Magic capabilities. Both are governed by the same privacy and compliance framework.
data: Same as core Shopify plus enterprise-grade support. Likely includes more formal DPA options and dedicated compliance assistance.
Enterprise tier merchants may negotiate custom data processing agreements. Shopify provides a dedicated privacy portal for data subject requests.
data: Consumer personal data (purchase history, payment info). Governed by separate consumer privacy policy addendum. Consumer data processed under Shopify's PCI DSS Level 1 scope.
Different data controller/processor relationship than merchant-facing products. Consumer data requests must be made to Shopify directly (not via merchant).
data: In-person transaction data, cardholder data, customer profiles. PCI DSS Level 1 coverage extends to POS transactions processed through Shopify Payments.
Physical card transactions add a separate compliance surface; merchants using third-party payment processors are responsible for their own PCI DSS compliance for that portion.
// What to watch
- DPA availability not explicitly confirmed via self-service page - Shopify Plus merchants likely have access but standard plan merchants should verify
- ISO 27001 is NOT held by Shopify - some third-party Shopify partners hold it, which could cause confusion
- Specific LLM providers powering Shopify Magic/Sidekick are not disclosed publicly
- Sidekick 'remembers information from your conversations' - retention period for conversation history not specified in public documentation
- No HIPAA BAA available - not suitable for handling protected health information in regulated healthcare contexts
// At a glance
Pricing model
Subscription (Basic, Shopify, Advanced, Plus). Sidekick included in all plans at no extra cost. Plus pricing custom/enterprise.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Shopify Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
shopify.com