Security and Privacy Review Checklist

Pull the Shopify staff list and confirm each account maps to a current employee or contractor. Downgrade owner-equivalent permissions where the role doesn't need them — finance staff rarely need theme or app installation rights. Common gotcha: a former agency or freelance developer still listed with full permissions months after the engagement ended.

Confirm 2FA is enforced (not just optional) on Shopify, Amazon Seller Central, Klaviyo, Gorgias, the domain registrar, and the email provider. SMS-based 2FA is acceptable for low-risk accounts; admin and finance accounts should use an authenticator app or hardware key. Document which platforms are verified this quarter.

Rotate private app tokens and API keys for Klaviyo, Recharge, ShipStation, and any custom integrations. Revoke any unused tokens. Keys that have been pasted into shared docs, Slack, or freelancer environments should be rotated regardless of perceived risk.

Open Settings → Apps and review every installed app. Uninstall apps no longer in use — abandoned apps retain customer-data access scopes. For apps that remain, note the data scopes (customer read, order read, write) and confirm the vendor is still operating and patched.

Cross-reference HR's offboarding list against active accounts on every platform from the prior step. Offboarding is the most common gap — an employee leaves, Shopify access gets removed, but Klaviyo, Gorgias, and the 3PL portal don't.

Check the certificate on the apex domain, www subdomain, and any custom checkout subdomain. Shopify-managed certs renew automatically; custom-DNS or reverse-proxied setups don't. Record the next expiration date so a calendar reminder fires 30 days ahead.

If checkout runs on Shopify Payments, Stripe, or PayPal hosted fields, you remain in SAQ A or A-EP scope and never touch card data directly. Confirm no custom code captures card numbers or CVVs in the DOM. Custom themes that add input listeners to checkout fields can quietly bump scope to SAQ D — a much heavier obligation.

Magecart-style skimmers inject JavaScript on the checkout page to siphon card data. List every script on the checkout DOM (browser DevTools → Network) and verify each against your approved list — analytics, pixels, and the platform's own scripts. Anything you can't account for, remove and investigate.

Run securityheaders.com against the storefront. Confirm Content-Security-Policy, Strict-Transport-Security, and X-Content-Type-Options are present. CSP is the highest-leverage defense against script injection on custom-themed Shopify Plus and BigCommerce stores.

Confirm any staging URL, theme preview, or development store is password-protected and not indexed by Google. Common gotcha: a dev store seeded with real customer email addresses gets indexed and exposed; a state breach notification follows.

List every place customer data is captured: checkout, account creation, newsletter pop-up, SMS opt-in, customer service forms, reviews (Yotpo/Okendo), referral programs. For each, confirm it flows only to systems disclosed in the privacy policy. Newly added Klaviyo flows or pop-up tools are the usual source of undisclosed data flows.

Confirm Klaviyo profile retention, suppressed-profile handling, and automatic deletion settings match your stated retention policy. EU/UK profiles need a defensible retention period; indefinite retention of unengaged profiles is a GDPR exposure.

Maintain a current subprocessor list — Shopify, Klaviyo, Gorgias, your 3PL, payment processor, analytics, etc. Confirm each has a signed Data Processing Addendum on file. Required disclosure under GDPR; expected practice under CCPA. Attach the current list as evidence.

Submit a test data subject access request through the published privacy intake (email, web form, or both). Confirm it routes to a real owner, that Shopify's customer data export tool is in the loop, and that the 30-day GDPR / 45-day CCPA response windows are tracked. Capture the test result.

Confirm a clearly labeled "Your Privacy Choices" or "Do Not Sell or Share My Personal Information" link is in the site footer and resolves to a working opt-out form. Required for businesses meeting CCPA/CPRA thresholds when sharing data with ad networks (Meta CAPI, Google Ads).

Open the site from an EU IP (or VPN) and confirm the CMP — OneTrust, Cookiebot, Termly, or Shopify's built-in — blocks non-essential cookies until consent is given. Common failure: marketing pixels fire before consent because they're hardcoded in the theme rather than gated through the CMP.

California regulators require honoring browser-level Global Privacy Control signals as opt-out requests. Test with GPC enabled (Brave or DuckDuckGo browser) and confirm the site treats the visitor as opted out of sale/sharing.

TCPA requires express written consent for marketing SMS. Pull a sample from Postscript or Attentive and confirm each subscriber has a timestamped opt-in record tied to consent language. STOP/HELP keywords must work; quiet hours must be enforced. TCPA suits commonly cite missing or weak opt-in records.

Spot-check recent influencer and affiliate posts for #ad, "paid partnership," or equivalent disclosure required by the FTC Endorsement Guides. Disclosures buried below the fold or in hashtag piles don't qualify. The brand — not just the influencer — is on the hook for non-compliance.

If you sell subscriptions through Recharge, Smartrr, or Bold, confirm a customer can cancel online with no more friction than they signed up. California, New York, and the FTC's pending Negative Option Rule require cancellation parity. Retention offers that block the cancel button are the exact dark pattern under enforcement.

Confirm the runbook lists current on-call contacts, the password manager break-glass procedure, the platform support escalation paths (Shopify Plus merchant success, Stripe security), and counsel's contact for breach analysis. Stale runbooks are useless under pressure.

Review the quarter's tickets, Shopify activity logs, and any reports from CX or finance about suspicious account or order activity. Document any incident — confirmed or suspected — with timestamps, scope, and disposition. "No incidents this quarter" should be a deliberate, evidenced answer, not a default.

GDPR requires notification of supervisory authority within 72 hours of awareness; affected EU data subjects "without undue delay." US state laws vary — most require notification within 30-60 days, some sooner. Coordinate notification language with counsel before sending; the wrong wording can create liability.

Most states require notification to the Attorney General when a breach affects more than a threshold number of residents (often 500 or 1,000). Check each affected state's portal and timing. For card data, also notify the card brands via the acquiring bank.

Capture findings from this review — what was fixed, what's open, what gets carried into next quarter's run. For any incident, attach the postmortem with root cause, timeline, and the controls being added. This log is what you produce for due-diligence requests from retail partners or acquirers.