Withdrawly

Security

Security and data protection measures for Withdrawly
Jun 3, 2026

Overview

Withdrawly is built as a technical workflow tool for Shopify merchants. This page summarizes security and data protection measures that support the Data Processing Agreement and privacy obligations.

Authentication and Request Verification

  • Shopify Admin access uses Shopify embedded app authentication.
  • Storefront App Proxy requests are authenticated through Shopify App Proxy verification.
  • Shopify webhooks are authenticated before processing.
  • Mandatory privacy compliance webhook endpoints are configured for customer data requests, customer redaction, and shop redaction.

Data Minimisation

Withdrawly processes data needed to receive, confirm, review, and document withdrawal requests. The withdrawal workflow is designed not to request or store customer address, phone, payment method details, or customer account credentials.

Rate-limit identifiers are stored as hashes. Error reporting is sanitized before being sent to observability tools.

Tenant Separation and Access Control

Merchant data is scoped by Shopify shop. Admin routes authenticate the current shop before returning merchant data. Production access should follow least-privilege access, MFA for infrastructure accounts, and restricted operational access.

Input Handling

Customer and merchant input is validated at system boundaries. User-submitted content is escaped when rendered into HTML emails or storefront HTML.

Transport, Secrets, and Infrastructure

Production traffic should use HTTPS. Secrets are stored in platform secret managers and are not committed to the repository.

Withdrawly's production application deployment is configured for Fly.io with Frankfurt (fra) as the primary region. Production PostgreSQL is intended to run on Supabase Central EU / Frankfurt (eu-central-1). Transactional emails are sent through Resend, using its EU domain region in Ireland (eu-west-1) for email dispatch. Optional Sentry monitoring should use Sentry's EU region in Frankfurt when enabled.

The current hosting, database, email, and monitoring subprocessors are listed on the Subprocessors page.

Retention and Deletion

Withdrawly supports merchant-controlled deletion, retention-period purge, customer redaction, shop redaction, and uninstall cleanup. These controls support merchant obligations but do not replace the merchant's own legal assessment.

Incident Handling

If Withdrawly becomes aware of a personal data breach affecting merchant data processed by Withdrawly, affected merchants will be notified without undue delay with information reasonably available to support GDPR breach assessment and notification obligations.

Contact

Security questions can be sent to support@withdrawly.app.

Security