Least required access
The app should request only the permissions required for the confirmed product scope.
This page defines Torevo security principles and the intended operating standard. We do not claim certifications or guarantees that have not been independently verified.
The implementation should be documented, tested and connected to real infrastructure according to the service scope.
The app should request only the permissions required for the confirmed product scope.
API keys and tokens do not belong in source code, public logs or client-side interfaces.
Traffic between the store, Torevo and providers should use current secure protocols.
Staff access should be role-limited, strongly authenticated and recorded.
Retry logic must account for duplicate shipments or repeated state changes.
A serious event should have an owner, timeline, communication plan and post-incident review.
We do not currently claim ISO 27001, SOC 2 or another independent certification.
Users should understand which data comes from Shopify, what Torevo processes and what is sent to the selected service.
Send sensitive security findings through the contact page and clearly identify the message as a security report. Do not publish exploit details, personal data or access credentials.
Send it through the contact page with a safe description and without passwords, tokens or unnecessary personal data.