Security Overview
Last updated: April 16, 2026
This document describes the security architecture, data handling practices, and compliance features of Adminlog, a Shopify embedded audit trail application developed by Bedrock Digital Apps. It is intended for security teams evaluating Adminlog for enterprise use.
Infrastructure & Data Residency
| Hosting | Enterprise cloud infrastructure in the United States (US-East region). Providers are ISO 27001 certified. |
| Database | Managed PostgreSQL, isolated within a private network — not exposed to the public internet. |
| Backup storage | Encrypted offsite object storage (US region), separate from the primary infrastructure. |
| Edge / DNS | All traffic is fronted by a reverse proxy with automatic TLS, behind a DDoS-protected DNS provider. |
Encryption
| In transit | TLS 1.2+ on all HTTPS connections. SMTP uses STARTTLS. No plaintext HTTP endpoints exist. |
| At rest | Full-disk encryption on all server volumes. Backup objects are encrypted at rest with AES-256. |
| API keys | Stored as SHA256 hashes — never in plaintext. Validated via timing-safe comparison. |
| Webhook signatures | Outbound webhook callbacks to external endpoints are signed with HMAC-SHA256 using per-shop secrets. |
| Audit integrity | Enterprise plan: each audit record includes a SHA256 checksum and a chain hash linking it to the previous record, creating a tamper-evident linked list that can be independently verified. |
Authentication & Access Control
| User authentication | Shopify OAuth 2.0 — all user authentication is handled by Shopify's identity provider. Adminlog does not store passwords. |
| Session management | Server-side sessions stored in PostgreSQL with automatic expiry. Online sessions (browser) expire per Shopify's token TTL. Offline sessions (webhook processing) use long-lived tokens issued by Shopify. |
| Tenant isolation | Every database query is scoped by the merchant's shop domain (shopId). One tenant cannot read, write, or modify another tenant's data. This is enforced at the application layer on every query. |
| Role-based access | Enterprise plan includes 4 roles (Owner, Admin, Auditor, Viewer) with a permission matrix. Currently being rolled out in staged fashion. |
| API authentication | Enterprise REST API endpoints use API key authentication with SHA256 hashing + rate limiting (1,000 requests/hour per key). |
| Admin access | Server SSH access is key-only (no password auth). Database is accessible only from the internal Docker network — not exposed to the internet. |
Data Handling & PII
| PII stored | Customer names, email addresses, and phone numbers are stored in audit log records when customer events are tracked. Order customer details (name, email) are stored in order audit logs. |
| Purpose limitation | PII is stored solely to provide the audit trail service — identifying what changed, when, and who was involved. We do not use PII for marketing, profiling, or any purpose beyond the audit function. |
| Data minimization | We only capture data that Shopify delivers via webhooks. We do not make additional API calls to fetch data beyond what's needed for audit logging. |
| Retention | Plan-based: Starter 30 days, Professional 90 days, Enterprise 365 days (configurable up to 5 years). Automated daily cleanup enforces these limits. |
| Deletion on uninstall | When the app is uninstalled, all shop data (audit logs, settings, snapshots, alerts) is permanently deleted within 30 days. |
| GDPR compliance | We process Shopify's mandatory GDPR webhooks (customers/data_request, customers/redact, shop/redact) within 48 hours. Enterprise plan includes a GDPR request tracker with SLA timers and a compliance dashboard. |
| Data portability | Merchants can export their full audit history in CSV format at any time from the Reports page. |
Backup & Recovery
| Backup frequency | Daily automated full-database backups |
| Offsite sync | Backups are synced to encrypted offsite storage via encrypted transfer |
| Verification | Automated periodic test-restore validates backup integrity |
| Server protection | On-demand infrastructure snapshots. Destructive-action protection is enabled on production infrastructure. |
Monitoring & Incident Response
| Health monitoring | Continuous self-healing monitoring: checks disk, memory, container health, and service endpoints. Auto-restarts failed containers and alerts the operations team. |
| Uptime monitoring | All public endpoints are monitored with alerting on downtime. |
| Webhook monitoring | Automated daily check identifies shops that have stopped receiving audit events and remediates automatically. |
| Incident response | Documented response procedures cover webhook recovery, data recovery, and backup restoration, with on-call alerting. |
Vulnerability Management
| Dependency management | Automated dependency audit on every build. Container images are rebuilt from scratch on each deploy — no stale layers. |
| OS patching | Host OS kernel and security patches are managed by the underlying cloud provider. |
| Internal audits | Regular internal security audits with documented remediation tracking. |
| SQL injection protection | All database queries use parameterized queries via the ORM. Raw SQL uses tagged-template parameterization, not string interpolation. |
| XSS protection | React's default output escaping, plus explicit HTML escaping in email templates. |
| SSRF protection | Outbound webhook callback URLs are validated: HTTPS required and private IP ranges blocked. |
| Rate limiting | Per-shop webhook rate limiting with tiered limits by plan, plus API rate limiting per key. Progressive quarantine for repeat offenders. |
Compliance Status
| SOC2 Type II | Not yet certified. The technical controls evaluated in a SOC2 audit (access controls, encryption, audit logging, incident response, change management) are implemented. Formal certification is on our roadmap. |
| GDPR | Compliant. GDPR webhooks processed, data retention enforced, data export available, right-to-erasure honored on uninstall. |
| CCPA | Compliant. No data selling. Deletion on request. Export available. |
| PCI DSS | Not applicable. We do not process, store, or transmit payment card data. All payments are handled by Shopify. |
Contact
For security inquiries, vulnerability reports, or to request additional documentation:
Bedrock Digital Apps
Email: support@bedrk.dev
Adminlog by Bedrock Digital Apps — Security Overview v1.0