// Trust & Security Report

    Shopify Inc. logo

    Shopify Inc.

    Shopify AI / Sidekick / Shopify Magic

    Certifications held

    3

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    PCI DSS Level 1
    HELD

    We invested significant time and money to obtain our Level 1 PCI certification and that our certification covers your store, its shopping cart and web hosting. All Shopify stores using our platform are automatically PCI compliant by default.

    Verify on shopify.com
    SOC 2 Type II
    HELD

    Shopify hat SOC 2 Typ II- und SOC 3-Berichte fur die Services erhalten, die es seinen Kunden bereitstellt. [Shopify has received SOC 2 Type II and SOC 3 reports for the services it provides to its customers.]

    Verify on shopify.com
    SOC 3
    HELD

    SOC 3 Report (April 1, 2025 to March 31, 2026) - provides assurance over the organization's system and company-level controls. Publicly accessible.

    Verify on shopify.com
    > Show 2 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No ISO 27001 certification listed on Shopify's compliance reports page or security page. Only PCI DSS and SOC reports are published.

    source: shopify.com
    HIPAA
    NOT CONFIRMED

    No HIPAA certification or BAA offering mentioned on Shopify's security or compliance pages.

    source: shopify.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not stated

    Data region

    Primary: Canada (HQ, Ottawa). EU/EEA/UK: Shopify International Ltd., Dublin, Ireland. Asia/ANZ: Shopify Commerce Singapore Pte. Ltd. Data transfers outside EWR protected by Standard Contractual Clauses and Canadian adequacy decision (EU Commission).

    Shopify explicitly states: 'Shopify doesn't use any merchant's store-level data to power Shopify Magic for other merchants.' Store data is not used to train foundation models. Shopify Magic uses a merchant's own store data only to return results to that same merchant. Anonymized data may be retained for service improvement per the privacy policy.

    // Security controls

    Bug Bounty Program

    Dedicated program on HackerOne (hackerone.com/shopify and shopify.com/bugbounty). Payouts up to $200,000. Sidekick and AI features were specifically in scope for a micro-live hacking event in September 2025.

    shopify.com

    Penetration Testing

    Annual on-site assessments by a Qualified Security Assessor (QSA) for PCI DSS Level 1. Quarterly external ASV vulnerability scans (most recent: April 8, 2026; prior: February 18, 2026; December 26, 2025).

    shopify.com

    Independent Audits

    SOC 2 Type II audit conducted by independent external auditor. PCI DSS AoC valid June 27, 2025 to June 27, 2026, completed by a QSA annually.

    shopify.com

    Encryption

    Implied by PCI DSS Level 1 compliance (requires encryption of cardholder data in transit and at rest). No specific encryption algorithm details published on the security page.

    shopify.com

    Transparency Report

    Published annually. Documents legal requests for merchant/customer/partner information, evaluation process, and fulfillment rates.

    shopify.com

    Access Controls (Sidekick)

    Sidekick respects store access controls: team members only interact with data and features they are authorized to use.

    shopify.com

    // Products & data scope

    Shopify SidekickAI Commerce Assistant

    data: Has direct access to merchant's Shopify admin data (sales, orders, inventory, traffic, products, collections). Conversations stored and used to provide personalized responses over time. Data NOT shared with other merchants or used to train foundation models.

    Embedded in the Shopify admin dashboard. Included in Shopify subscription plans. Not a separate product with its own privacy policy - governed by Shopify's overarching privacy/security framework and PCI DSS Level 1 / SOC 2 Type II coverage.

    Shopify MagicAI Feature Suite (content generation, predictions, automation)

    data: Uses merchant's own store data for AI-driven content, predictions, and automation features. Store-level data not used to power Shopify Magic for other merchants. Built on a mix of Shopify proprietary data and third-party LLMs (providers not disclosed).

    Sidekick is the conversational interface for Shopify Magic capabilities. Both are governed by the same privacy and compliance framework.

    Shopify PlusEnterprise Commerce Platform

    data: Same as core Shopify plus enterprise-grade support. Likely includes more formal DPA options and dedicated compliance assistance.

    Enterprise tier merchants may negotiate custom data processing agreements. Shopify provides a dedicated privacy portal for data subject requests.

    Shop / Shop PayConsumer-facing apps and payment acceleration

    data: Consumer personal data (purchase history, payment info). Governed by separate consumer privacy policy addendum. Consumer data processed under Shopify's PCI DSS Level 1 scope.

    Different data controller/processor relationship than merchant-facing products. Consumer data requests must be made to Shopify directly (not via merchant).

    Shopify POSPoint of Sale

    data: In-person transaction data, cardholder data, customer profiles. PCI DSS Level 1 coverage extends to POS transactions processed through Shopify Payments.

    Physical card transactions add a separate compliance surface; merchants using third-party payment processors are responsible for their own PCI DSS compliance for that portion.

    // What to watch

    • DPA availability not explicitly confirmed via self-service page - Shopify Plus merchants likely have access but standard plan merchants should verify
    • ISO 27001 is NOT held by Shopify - some third-party Shopify partners hold it, which could cause confusion
    • Specific LLM providers powering Shopify Magic/Sidekick are not disclosed publicly
    • Sidekick 'remembers information from your conversations' - retention period for conversation history not specified in public documentation
    • No HIPAA BAA available - not suitable for handling protected health information in regulated healthcare contexts

    // At a glance

    Pricing model

    Subscription (Basic, Shopify, Advanced, Plus). Sidekick included in all plans at no extra cost. Plus pricing custom/enterprise.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Shopify Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    shopify.com

    > Browse all vendor trust reports