Skip to content

Security & data protection

Last updated: June 20, 2026.

QuotWay is a B2B quote and negotiation app built natively for Shopify. Because it runs inside Shopify and converts accepted quotes into real Shopify draft orders, most of your commercial data stays in Shopify, where you already trust it to live. This page explains how QuotWay protects the data it does handle, the controls we run, and the things we deliberately do not claim.

Native to Shopify

QuotWay reads and writes your Shopify data rather than building a parallel copy of your store. Quotes are created against your real products and customers, and an accepted quote becomes a real Shopify draft order - not a CSV export or a separate order system. There is no second source of truth for you to reconcile or secure. QuotWay only requests the Shopify access scopes it needs to do this, and you can review them on the App Store listing and revoke them at any time by uninstalling the app.

Auditable lifecycle

Every quote carries an append-only event log. From the first quote request through each counter-offer, approval decision, and the moment it converts to an order, each step is recorded as an event that is added, never edited in place. This gives you a verifiable history of what happened, when, and who acted - useful for internal review, dispute resolution, and procurement audit trails.

File safety

Buyer and message attachments are screened before they are ever stored. Each upload is validated against an allowlist of file types, and its real byte content is checked against its declared type, so a file labelled as a PDF must actually be a PDF. Files that carry active or malicious content - such as embedded scripts, macros, or executable actions - are rejected at upload and never saved.

This is content validation and active-content rejection, not signature-based antivirus. We do not claim to scan for the full universe of known malware. To reduce residual risk, QuotWay never executes uploaded files on the server, and downloads are served as attachments with the headers that stop a browser from re-interpreting a file as active content.

Data protection & privacy

QuotWay supports Shopify's privacy and GDPR webhooks. When a buyer requests their data or a deletion, or when a shop is removed, the corresponding request is handled through the standard Shopify compliance webhooks (customers/data_request, customers/redact, and shop/redact).

Data retention is merchant-controlled and enforced automatically. A daily cleanup job removes data that has aged past its retention window - including attachments, soft-deleted quotes, and older event and email logs - so data is not kept indefinitely. Attachment retention is tiered by plan: 30 days on Lite, 90 days on Starter, 180 days on Professional, and 365 days on Enterprise.

Data is encrypted in transit using HTTPS/TLS across the app, the buyer portal, and our APIs.

For the full detail on what data we process, why, and your rights, see the Privacy Policy.

Infrastructure

QuotWay runs on managed, widely used infrastructure:

  • Hosting: the application is hosted on Vercel (serverless functions on a global edge network).
  • Database: application data is stored in PostgreSQL via Neon.
  • File storage: buyer and message attachments and generated PDFs are stored on Vercel Blob.
  • Email: transactional email is sent through toSend, with AWS SES as a backup transport.
  • Error monitoring: uncaught errors are reported to Sentry, with personal data scrubbed before upload.

For the complete list of the third-party services that may process data on our behalf, see Sub-processors.

Authentication

Access to QuotWay is authenticated for both sides of a quote:

  • Embedded admin app: merchants and staff sign in through Shopify OAuth and session-token authentication. QuotWay does not store separate admin passwords - your Shopify login governs access, and staff roles inside QuotWay control what each person can see and do.
  • Hosted buyer portal: buyers reach their quotes through a magic link, and can re-verify with a one-time code sent to their email. There is no separate buyer password to manage or leak.

What we do not claim

We would rather be accurate than impressive. As of the date above, QuotWay does not hold a SOC 2 or ISO 27001 certification, and has not undergone a formal third-party penetration test. We also do not run signature-based virus scanning (see File safety for the control we do run). We will publish certifications and audit results on this page if and when they are achieved - and not before.

Responsible disclosure

If you believe you have found a security vulnerability in QuotWay, please report it to security@quotway.com. Include enough detail for us to reproduce the issue - the affected URL or feature, the steps you took, and what you observed.

We ask that you give us a reasonable window to investigate and fix the issue before disclosing it publicly, and that you avoid accessing or modifying data that is not yours, degrading our service, or testing against other merchants' data. We will acknowledge your report, keep you updated on our progress, and credit you if you would like once the issue is resolved. We will not pursue good-faith research that follows this policy.