Security & Compliance
Built secure. Built Canadian. Built to be auditable.
CanShip handles your inventory data, your customer addresses, your shipping records, and your billing information. We treat all of it like it's our own.
Where your data lives
CanShip runs entirely on AWS Canada (ca-central-1, Montreal). Every database, every backup, every audit log. Your data does not flow through US infrastructure for normal operation.
Limited, disclosed exceptions:
- Payment processing is handled by Stripe Inc. Cardholder data flows through Stripe's PCI-DSS Level 1 compliant infrastructure. Operational data (orders, inventory, customers, shipping records) does not.
- Transactional email is delivered through AWS Simple Email Service (AWS SES). Email metadata may transit AWS infrastructure outside ca-central-1 in the normal course of delivery.
- US import duty prepayment for Canada Post-to-US shipments uses Zonos. Customs declarations and recipient data are sent to Zonos solely for duty calculation.
Encryption
- In transit: TLS 1.2+ enforced across the entire platform. Older TLS versions are rejected.
- At rest: AES-256 via AWS KMS (Key Management Service).
- Backups: Encrypted at rest with separate key, retained 7 days (Aurora point-in-time recovery).
- Sales-channel and carrier credentials: Encrypted with AWS KMS envelope encryption with a separate sidecar metadata column.
Network security
- AWS WAF v2 sitting in front of CloudFront, with managed rule sets (IP reputation, OWASP, known-bad inputs) and documented rollback paths.
- CloudFront for distribution and DDoS resistance.
- Per-route API rate limiting to mitigate abuse and accidental flooding.
- Carrier API throttling to prevent rate-limit accidents that could block your shipments.
Application security
- Cross-tenant query gate static check passing with zero violations across the codebase. We catch tenant data leaks at build time, not after a customer reports them.
- AWS Cognito for authentication, with role-based access control. Refresh tokens stored in HttpOnly cookies, not accessible to client-side JavaScript.
- Three full rounds of penetration testing completed and remediated, including patches for an authentication bypass, IAM role privilege separation, and TLS bundle correctness.
- Dependabot monitoring third-party libraries for known CVEs, with automated PRs for patches.
-
Secrets management via AWS Secrets Manager. No credentials in code, no
.envfiles in production.
Identity and access
- Role-based access control: Admin, Warehouse Manager, Picker, Packer roles, each with scoped permissions.
- Session timeout: Automatic logout after configurable inactivity period.
- Strong password requirements for staff accounts: minimum length, complexity, MFA where supported.
- Multi-factor authentication (MFA) for customer admin users: coming on Pro tier (Phase 2).
- Single sign-on (SSO): Available on Enterprise tier.
Compliance
- PIPEDA (Personal Information Protection and Electronic Documents Act): CanShip is operated by My Passion Media Inc., a British Columbia corporation, and operates entirely under PIPEDA. Pro and Enterprise plans include full PIPEDA documentation: Data Subject Access Request handling, breach notification process, sub-processor agreements, and a Data Processing Agreement template for your use with your own clients.
- GST/HST/PST/QST: Tax calculation is automated via Stripe Tax. CanShip's invoices to you are CRA-compliant. The 3PL Billing module on Pro tier generates CRA-compliant invoices on your behalf for your downstream clients.
- SOC 2: Phase 2 readiness in progress. Type I audit targeted for late 2026 / early 2027.
Audit trail at the data layer
- Every access and mutation of protected customer data is logged at the database layer via PostgreSQL triggers, with actor identifier, timestamp, source type, and source identifier.
- Static-analysis gate in CI blocks any backend code change that ships a query against protected data without the tenant predicate. Multi-tenant isolation is enforced mechanically, not by convention.
- Immutable retention: Audit logs cannot be edited or deleted, only appended.
- Customer access: Pro and Enterprise customers can view their own audit log via the admin dashboard.
- CloudTrail at the infrastructure level for all AWS actions.
Environment separation
- Test, sandbox, and production environments are strictly isolated. Sandbox tenants run on the same infrastructure but are flagged at the database row level, with UI banners and tenancy enforcement.
- Production personal data does not flow into development or sandbox environments. Sandbox seed data is synthetic.
Data loss prevention
- Pre-deploy security pipeline includes secret scanning (TruffleHog), dependency vulnerability scanning (npm audit), static-analysis security testing (Semgrep), and a manual production approval gate before any deployment to production.
- Webhook payloads carrying personal data (Shopify webhooks, carrier webhooks) are purged on a 90-day retention window.
- Outbound data egress is monitored.
Shopify Protected Customer Data (Level 2)
CanShip is approved for Shopify Protected Customer Data Level 2 access, which covers customer data including name, address, phone, and email fields. We meet the full Shopify Protected Customer Data Level 1 and Level 2 requirements:
- Minimum data principle: we request only the OAuth scopes required for fulfillment, listed publicly on our Shopify App Store listing.
- No data sale, no cross-context behavioural advertising: Shopify customer data is used for fulfillment only. We do not sell, rent, or share it for advertising or marketing purposes.
-
Mandatory compliance webhooks:
customers/data_request,customers/redact, andshop/redactare implemented and respond within 30 days of receipt. The 48-hourshop/redactwindow anonymizes ship-to PII on uninstall. - Encrypted backups, environment separation, audit log, strong staff passwords with MFA, documented incident response policy: all covered above.
- Data Processing Agreement (DPA): available on request from legal@canship.co.
Full details in our Privacy Policy, Section 11.
Incident response
- 24/7 monitoring with automated alerts on anomalous activity.
- Documented security incident response policy with severity classifications, escalation paths, and notification timelines.
- Breach notification commitment: If a security incident affects your data, you'll hear from us within 72 hours of confirmation, in compliance with PIPEDA's Office of the Privacy Commissioner notification requirements. For Shopify merchants, breach notification follows Shopify's API Terms of Service and Partner Program Agreement.
- Public status page: status.canship.co, real-time uptime, incidents, and scheduled maintenance.
Reporting a vulnerability
If you've found a security issue in CanShip, please email security@canship.co with details. We treat security reports with priority and will respond within one business day.
We are not running a formal bug bounty program yet, but we acknowledge responsible disclosure publicly (with permission) and recognize researchers who help us improve.
Compliance and certifications summary
| Item | Status |
|---|---|
| PIPEDA (Canadian privacy) | Compliant. Documentation pack on Pro+ tier. |
| Shopify Protected Customer Data Level 2 | Compliant. Webhooks live, DPA available. |
| TLS 1.2+ enforcement | Live |
| AWS Canada (ca-central-1) data residency | Live |
| WAF + CloudFront protection | Live |
| Penetration testing | 3 rounds completed and remediated |
| Cross-tenant query gate | Zero violations |
| KMS encryption at rest | Live |
| Audit trail at the database layer | Live (PostgreSQL triggers) |
| Public status page | Live at status.canship.co |
| MFA for admin users | In progress (Pro tier, Phase 2) |
| Single Sign-On (SSO) | Planned (Enterprise tier, Phase 2) |
| SOC 2 Type I | Planned (readiness in progress) |
| Bug bounty program | Planned (Phase 3) |
Documentation available on request
For Pro and Enterprise customers, the following documentation can be provided under NDA:
- Penetration testing report (most recent)
- Architecture diagram
- Data flow documentation
- Sub-processor list (AWS, Stripe, AWS SES, Zonos, third-party services)
- DPA (Data Processing Agreement) template
- Incident response runbook
- BCP / DR plan summary
Request via security@canship.co. We respond within one business day.
Have specific security questions?
We get this question a lot, especially from larger 3PLs and brands with their own compliance obligations. We're happy to walk through our architecture, answer specifics, or fill out your security questionnaire.