Security at SyncO

Authentication

Shopify OAuth. SyncO uses Shopify's standard OAuth 2.0 installation flow. We request only the specific API scopes needed for the sync flows you enable — we do not request broad admin access. Shopify access tokens are stored encrypted at rest in our secrets store and are never logged or exposed in API responses.

Odoo API credentials. Your Odoo URL, database name, username, and API key are entered once during onboarding and stored encrypted using AES-256 encryption in a dedicated secrets store. Credentials are decrypted only at sync job execution time and are never written to application logs.

Data in transit

All data transmitted between SyncO and Shopify, between SyncO and your Odoo instance, and between your browser and the SyncO app is encrypted using TLS 1.2 or higher (TLS 1.3 preferred). We enforce HTTPS on all endpoints and do not support unencrypted HTTP connections.

Shopify webhook payloads received by SyncO are verified using HMAC-SHA256 signature validation. Webhooks that fail signature verification are rejected before any processing occurs.

Data at rest

Application data — including your sync configuration, job history, and field mappings — is stored in an encrypted database. Encryption at rest is handled at the storage layer by our cloud infrastructure provider.

Odoo and Shopify credentials are stored separately from application data in a dedicated encrypted secrets store. Access to the secrets store is restricted to the application service account only.

Access controls

Access to SyncO production infrastructure is restricted to a small team of engineers on a need-to-access basis. All production access is authenticated with multi-factor authentication. Administrative actions in production are logged to an immutable audit trail.

SyncO follows the principle of least privilege: each service component is granted only the permissions it needs to perform its function. Database credentials, API keys, and secrets are rotated on a scheduled basis.

Hosting

SyncO runs on a major cloud infrastructure provider. The provider maintains SOC 2 Type II, ISO 27001, and other compliance certifications at the infrastructure layer. Physical security, power redundancy, and network resilience are managed by the provider. Application-level high availability is implemented through redundant workers and a durable job queue.

Compliance

GDPR. SyncO is designed with GDPR principles in mind: data minimisation (we only process data necessary for sync), purpose limitation (sync data is not used for other purposes), and data subject rights support (deletion on request). See our Privacy Policy for details on how to submit a data subject request.

CCPA. If you serve California consumers, SyncO does not sell consumer personal information. Merchants may contact us to exercise CCPA rights on behalf of their customers.

Incident response

In the event of a confirmed security incident affecting customer data, TechSpawn will:

1. Contain the incident and assess scope as a first priority.
2. Notify affected merchants by email within 72 hours of confirming that customer data was involved, in line with GDPR breach notification requirements.
3. Provide a written summary of what happened, what data was affected, and what steps we have taken to prevent recurrence.
4. Cooperate with regulatory notifications where required by applicable law.

Security events that do not result in data exposure will be communicated through our in-app notification system and status page as appropriate.

Customer responsibilities

Security is a shared responsibility. To keep your SyncO integration secure, we recommend:

• Using a dedicated Odoo API user for SyncO with only the permissions needed for sync operations — not a full admin account.
• Keeping your Shopify admin account secured with a strong, unique password and two-factor authentication enabled.
• Reviewing the Shopify API scopes granted to SyncO periodically and removing the app if you are no longer using it.
• Promptly notifying us at support@techspawn.com if you suspect your Odoo credentials have been compromised.

Reporting a security issue

We take security reports seriously. If you discover a potential security vulnerability in SyncO, please disclose it responsibly by emailing support@techspawn.com with:

• A description of the vulnerability and its potential impact.
• Steps to reproduce (proof of concept, if available).
• Your name and contact information (optional, but appreciated for follow-up).

We follow a 90-day responsible disclosure policy: we ask that you give us 90 days to investigate and release a fix before public disclosure. We will acknowledge your report within 2 business days and keep you informed of progress. We do not currently operate a bug bounty programme, but we are grateful for responsible disclosures and will credit researchers who wish to be acknowledged.

Please do not use public issue trackers, social media, or App Store reviews to report security vulnerabilities.

Penetration testing

TechSpawn conducts periodic penetration testing of the SyncO application and infrastructure. Tests are performed by independent security professionals. Critical and high-severity findings are remediated before the next production deployment. Results are available to enterprise customers on request under NDA.

Subprocessors

SyncO relies on the following subprocessors to deliver the Service. For full details on how each handles data, see our Privacy Policy.

• Shopify — e-commerce platform; source and destination of Shopify sync data.
• Odoo — ERP platform; source and destination of Odoo sync data (your self-managed or Odoo-hosted instance).
• PostHog — product analytics (aggregated, anonymised usage data).
• Cloud infrastructure provider — hosting, compute, storage, and network.