Start free

Security

Last updated: June 3, 2026

Security is foundational to how we build and operate Convot.io. This page summarises the technical and organisational measures we use to protect your data. It complements our Privacy Policy and Data Processing Agreement.

Your data is yours

Convot is built by a team that also builds Shopify apps, which is exactly why we understand how sensitive your support conversations, merchant list, and revenue data are. So we want to be unambiguous: your data is yours, and it stays walled off.

  • We never use your data to build or improve any other product. Your conversations, contacts, and the merchant revenue data Convot reads from the Shopify Partner API are used only to provide the Service to you. They are never used to inform, train, benchmark, or build any other app or business we operate.
  • We never sell or share your data. Customer data is not sold, rented, or shared for marketing, and is only processed by the limited sub-processors needed to run the Service (see section 8), under our DPA.
  • It is logically isolated. Your workspace is scoped to your organisation and isolated from every other customer (see Tenant isolation, section 4).
  • You stay in control. You can export or delete your data at any time, and our Data Processing Agreement binds us to these commitments contractually.

1. Infrastructure and hosting

The Service runs on reputable cloud infrastructure providers operating data centres in the European Union. These providers maintain industry-recognised certifications (such as ISO 27001 and SOC 2) for their physical and environmental security, including 24/7 facility monitoring, redundant power, and strict physical-access controls. We do not operate our own data centres.

2. Encryption

  • In transit - all traffic to and from the Service is encrypted using TLS 1.2 or higher. The chat widget, dashboard, APIs, and webhooks are served exclusively over HTTPS.
  • At rest - data stored in our databases, object storage, and backups is encrypted at rest using AES-256. Sensitive credentials and third-party tokens are encrypted at the application layer.
  • Passwords - account passwords are never stored in plaintext; they are hashed using a strong, salted one-way algorithm (bcrypt).

3. Access control

  • Access to production systems is restricted to authorised personnel on a least-privilege, need-to-know basis and is logged.
  • Administrative access requires strong authentication, and we encourage and support multi-factor authentication.
  • Within your workspace, role-based permissions (owner, admin, agent) and per-member overrides let you control what each team member can see and do.
  • Access is reviewed periodically and revoked promptly when no longer required.

4. Tenant isolation

Convot.io is a multi-tenant service. Each customer's data is logically separated and scoped to its organisation, and the application enforces authorisation checks on every request so that one customer cannot access another customer's data.

5. Network and application security

  • Production services run in isolated network environments with restricted ingress and egress.
  • We follow secure development practices, including code review, automated testing, and dependency vulnerability scanning.
  • APIs are authenticated and rate-limited, and the widget uses scoped session tokens.
  • We apply security patches to our systems and dependencies on a regular, risk-prioritised basis.

6. Availability and backups

We use managed, replicated databases and take automated backups so that data can be restored in the event of a failure. Infrastructure is monitored for availability and performance, and we design for graceful degradation of non-critical components.

7. Monitoring and logging

We collect application and infrastructure logs and use automated monitoring and alerting to detect anomalies, errors, and potential security events. Access to logs is restricted to authorised personnel.

8. Sub-processors and vendor management

We rely on a limited set of vendors to deliver the Service (for example, cloud hosting and database providers, our payment processor Stripe, our transactional email provider, and error-monitoring providers). We assess vendors for their security and privacy practices and bind them to appropriate contractual obligations. A current list is available on request and is governed by our Data Processing Agreement.

9. Compliance and data protection

We are committed to compliance with applicable data-protection laws, including the GDPR and UK GDPR. We process personal data in the EU by default, support Standard Contractual Clauses for international transfers, and offer a Data Processing Agreement to customers. We continue to invest in our security and compliance programme, including working toward recognised third-party attestations.

10. Incident response

We maintain an incident-response process to detect, investigate, and respond to security incidents. In the event of a personal data breach affecting your data, we will notify you without undue delay and within the timeframes set out in our Data Processing Agreement.

11. Responsible disclosure

We welcome reports from the security community. If you believe you have found a security vulnerability in Convot.io, please report it responsibly to [email protected]. Please give us a reasonable opportunity to investigate and remediate before any public disclosure, and do not access, modify, or delete data that is not your own. We will acknowledge valid reports and keep you informed of our progress.

12. Contact

For security questions, to request our latest documentation, or to report a concern, contact [email protected].