Sprusify

Security, Privacy & Compliance

Sprusify handles affiliate and tracking data and must be configured to meet data-protection and payment-processing expectations. This page summarizes recommended controls and merchant obligations.

Data minimization & retention

  • Store only the data necessary for attribution: click metadata, affiliate contact and payout info, and order references.
  • Define retention policies: purge raw click logs older than your audit window, but keep summarized attribution data for accounting as required by law.

Secrets & encryption

  • Store secrets (Shopify and Stripe keys, webhook secrets) in environment variable stores or a secrets manager. Do not commit them to source control.
  • Use HTTPS for all endpoints and TLS for database/third-party connections.

Webhooks & verification

  • Verify webhook signatures using the shared Shopify secret to avoid spoofed events.
  • Implement idempotency and safe retry logic to avoid duplicate processing.

Payments & PCI

  • Sprusify does not need to handle raw card data. Use Shopify Payments or Stripe for processing and Stripe Connect for payouts.

Data subject rights

  • Provide mechanisms to export and delete affiliate personal data to satisfy GDPR/CCPA requests; log such requests and actions.

Access control & auditing

  • Apply role-based access in the admin portal; limit who can issue payouts, perform manual adjustments, or resolve disputes.
  • Log admin actions for auditability (who changed commission rates, who approved payouts, etc.).

Incident response

  • Have a plan for data breaches: notify affected parties and regulators per local law, rotate compromised secrets, and review logs.

Developer checklist (security)

  • Use secure storage for environment variables.
  • Enable monitoring for unusual webhook activity.
  • Test webhook verification and idempotency in staging before production.

Following these practices will reduce risk and help you meet legal obligations in most jurisdictions. Consult a lawyer for specific compliance requirements.

  • Data export: Admin > Settings > Data > Export to download affiliate and transaction records.
  • Data deletion: Use the GDPR/Right-to-be-forgotten flow in Settings to remove a user’s personal data.

Security practices

  • Webhooks are signed; verify X-Spru-Signature on incoming requests.
  • We use TLS for all network traffic and rotate API keys frequently.

Compliance notes

  • GDPR: We provide data export/deletion tools and processors’ contracts on request.
  • PCI: We do not process card numbers directly; use Shopify’s payment layer for PCI compliance.

Questions about compliance? Contact support@sprusify.example with your legal request.