Security

Security Overview

Here are the risks you're worried about, answered directly.

Last updated: 17 March 2026

✅ At a glance

  • Read-only access only — no data writes
  • No customer or order data stored outside Shopify
  • Shopify OAuth — no passwords handled
  • Isolated per-store installation
  • No third-party data sharing

What we can and can't access

Tessera cannot modify your store or customer data

All API access is strictly read-only. Tessera cannot write to your products, orders, customer records, or any other store data. If an engagement requires write access for implementation work, that is a separate, explicitly authorised scope — never included by default.

Each store is completely isolated

Your store gets its own dedicated app installation. Credentials and audit data are never shared or mixed across clients.

How authentication works

Standard Shopify OAuth — you approve access directly in Shopify

Authentication is handled via Shopify's OAuth flow. You approve access through Shopify's standard consent screen — Tessera never sees or stores passwords. Tokens are scoped to the minimum required read-only permissions.

How your data is handled

Customer data stays on Shopify — always

Tessera does not extract, store, or process personally identifiable information outside of Shopify. Customer names, emails, order details, and payment information never leave Shopify's infrastructure. We read via API and generate insights — the source data stays exactly where it is.

What we store (and don't store)

Tessera stores audit results, performance scores, and aggregated anonymised metrics to power reporting and trend analysis. This data contains no customer PII — it's derived, not extracted. We may retain your store domain and high-level revenue-range metadata for engagement history.

Transmission and sharing

Encrypted in transit

All communication between Tessera and Shopify is encrypted via TLS 1.2+. The Tessera web application is served over HTTPS with HSTS enforced.

No third-party data sharing

Tessera does not sell, share, or transfer your store data or audit results to any third party.

Security questions or responsible disclosure? hello@tessera-systems.io