Torevo Security

Trust should be supported by controls, not badges.

This page defines Torevo security principles and the intended operating standard. We do not claim certifications or guarantees that have not been independently verified.

Security principles

Less access. More visibility. Clear ownership.

The implementation should be documented, tested and connected to real infrastructure according to the service scope.

Least required access

The app should request only the permissions required for the confirmed product scope.

Secret isolation

API keys and tokens do not belong in source code, public logs or client-side interfaces.

Encrypted communication

Traffic between the store, Torevo and providers should use current secure protocols.

Controlled internal access

Staff access should be role-limited, strongly authenticated and recorded.

Safe workflow retries

Retry logic must account for duplicate shipments or repeated state changes.

Incident process

A serious event should have an owner, timeline, communication plan and post-incident review.

We do not currently claim ISO 27001, SOC 2 or another independent certification.

Data flow

Every connection should have a clear purpose.

Users should understand which data comes from Shopify, what Torevo processes and what is sent to the selected service.

Shopify store
Torevo app
Torevo backend
Selected service
Operational controls

A checklist for services in operation.

Inventory of data and processing purposesExact Shopify permission listSecret management and rotationBackup and recoveryMonitoring and alertingLogs without sensitive valuesData deletion processDependency and update managementPenetration or security testingIncident response and contacts
Responsible disclosure

Do not send a security finding publicly.

Send sensitive security findings through the contact page and clearly identify the message as a security report. Do not publish exploit details, personal data or access credentials.

  • Describe the affected component and reproduction steps
  • Do not use third-party real accounts or data
  • Do not change or delete production data
  • Allow reasonable remediation time before disclosure
  • Do not expect a reward unless a bug bounty programme is published
Contact Torevo
Security

Have a security or data protection question?

Send it through the contact page with a safe description and without passwords, tokens or unnecessary personal data.