Security and Privacy Review Checklist

Pull the Shopify staff list and confirm each account maps to a current employee or contractor. Downgrade owner-equivalent permissions where the role doesn't need them — finance staff rarely need theme or app installation rights. Common gotcha: a former agency or freelance developer still listed with full permissions months after the engagement ended.

Confirm 2FA is enforced (not just optional) on Shopify, Amazon Seller Central, Klaviyo, Gorgias, the domain registrar, and the email provider. SMS-based 2FA is acceptable for low-risk accounts; admin and finance accounts should use an authenticator app or hardware key. Document which platforms are verified this quarter.

Rotate private app tokens and API keys for Klaviyo, Recharge, ShipStation, and any custom integrations. Revoke any unused tokens. Keys that have been pasted into shared docs, Slack, or freelancer environments should be rotated regardless of perceived risk.

Open Settings → Apps and review every installed app. Uninstall apps no longer in use — abandoned apps retain customer-data access scopes. For apps that remain, note the data scopes (customer read, order read, write) and confirm the vendor is still operating and patched.

Check the certificate on the apex domain, www subdomain, and any custom checkout subdomain. Shopify-managed certs renew automatically; custom-DNS or reverse-proxied setups don't. Record the next expiration date so a calendar reminder fires 30 days ahead.

If checkout runs on Shopify Payments, Stripe, or PayPal hosted fields, you remain in SAQ A or A-EP scope and never touch card data directly. Confirm no custom code captures card numbers or CVVs in the DOM. Custom themes that add input listeners to checkout fields can quietly bump scope to SAQ D — a much heavier obligation.

Magecart-style skimmers inject JavaScript on the checkout page to siphon card data. List every script on the checkout DOM (browser DevTools → Network) and verify each against your approved list — analytics, pixels, and the platform's own scripts. Anything you can't account for, remove and investigate.

Run securityheaders.com against the storefront. Confirm Content-Security-Policy, Strict-Transport-Security, and X-Content-Type-Options are present. CSP is the highest-leverage defense against script injection on custom-themed Shopify Plus and BigCommerce stores.

List every place customer data is captured: checkout, account creation, newsletter pop-up, SMS opt-in, customer service forms, reviews (Yotpo/Okendo), referral programs. For each, confirm it flows only to systems disclosed in the privacy policy. Newly added Klaviyo flows or pop-up tools are the usual source of undisclosed data flows.

Confirm Klaviyo profile retention, suppressed-profile handling, and automatic deletion settings match your stated retention policy. EU/UK profiles need a defensible retention period; indefinite retention of unengaged profiles is a GDPR exposure.

Maintain a current subprocessor list — Shopify, Klaviyo, Gorgias, your 3PL, payment processor, analytics, etc. Confirm each has a signed Data Processing Addendum on file. Required disclosure under GDPR; expected practice under CCPA. Attach the current list as evidence.

Submit a test data subject access request through the published privacy intake (email, web form, or both). Confirm it routes to a real owner, that Shopify's customer data export tool is in the loop, and that the 30-day GDPR / 45-day CCPA response windows are tracked. Capture the test result.

Open the site from an EU IP (or VPN) and confirm the CMP — OneTrust, Cookiebot, Termly, or Shopify's built-in — blocks non-essential cookies until consent is given. Common failure: marketing pixels fire before consent because they're hardcoded in the theme rather than gated through the CMP.

California regulators require honoring browser-level Global Privacy Control signals as opt-out requests. Test with GPC enabled (Brave or DuckDuckGo browser) and confirm the site treats the visitor as opted out of sale/sharing.

TCPA requires express written consent for marketing SMS. Pull a sample from Postscript or Attentive and confirm each subscriber has a timestamped opt-in record tied to consent language. STOP/HELP keywords must work; quiet hours must be enforced. TCPA suits commonly cite missing or weak opt-in records.

Spot-check recent influencer and affiliate posts for #ad, "paid partnership," or equivalent disclosure required by the FTC Endorsement Guides. Disclosures buried below the fold or in hashtag piles don't qualify. The brand — not just the influencer — is on the hook for non-compliance.

Confirm the runbook lists current on-call contacts, the password manager break-glass procedure, the platform support escalation paths (Shopify Plus merchant success, Stripe security), and counsel's contact for breach analysis. Stale runbooks are useless under pressure.

Review the quarter's tickets, Shopify activity logs, and any reports from CX or finance about suspicious account or order activity. Document any incident — confirmed or suspected — with timestamps, scope, and disposition. "No incidents this quarter" should be a deliberate, evidenced answer, not a default.

GDPR requires notification of supervisory authority within 72 hours of awareness; affected EU data subjects "without undue delay." US state laws vary — most require notification within 30-60 days, some sooner. Coordinate notification language with counsel before sending; the wrong wording can create liability.

Most states require notification to the Attorney General when a breach affects more than a threshold number of residents (often 500 or 1,000). Check each affected state's portal and timing. For card data, also notify the card brands via the acquiring bank.