Loading...
Skip to main content

Last Updated: 10 June 2026

WB Connect is the Shopify-merchant-facing sub-brand of Warehouse Bridge. It is operated by Flag Eagle LLC, a limited liability company formed under the laws of the State of Nevada, United States. This Information Security Policy is published openly so that prospective and existing users — Shopify merchants, the 3PL fulfilment warehouses that operate Warehouse Bridge as their warehouse management system, regulators, and security teams conducting vendor due diligence — can assess our controls before installation and at any time afterwards.

This document describes the controls we have in place today. It does not overclaim. Where a programme is still maturing — for example, formal independent attestations — we say so plainly.

1. About This Policy

1.1 Who we are

WB Connect is operated by:

  • Legal entity: Flag Eagle LLC, a limited liability company formed under the laws of the State of Nevada, United States.
  • State filing: Registered with the Nevada Secretary of State. Entity details are publicly searchable through the Nevada Secretary of State business entity search at https://www.nvsos.gov/sosentitysearch under the entity name "Flag Eagle LLC".
  • Trading name: Warehouse Bridge.
  • Shopify-facing sub-brand: WB Connect.
  • Shopify App Store listing: the listing is titled "Warehouse Bridge v3" and is presented to merchants as "WB Connect" within the App Store listing. References in this Policy to either name mean the same product.
  • Registered address: 401 Ryland Street STE-200, Reno, NV 89502, United States.
  • Website: https://wbconnect.app.
  • General contact: support@warehousebridge.com.
  • Security and privacy contact: privacy@warehousebridge.com.
  • Abuse reports: abuse@warehousebridge.com.
  • Legal contact: legal@warehousebridge.com.

References to "Flag Eagle", "Warehouse Bridge", "WB Connect", "we", "us" and "our" in this Policy mean Flag Eagle LLC. References to the "3PL Warehouse Customer" mean the third-party logistics warehouse that the merchant elects to connect to and that operates Warehouse Bridge as its warehouse management system ("WMS").

1.2 Scope

This Policy covers:

  • the WB Connect Shopify application, hosted at app.warehousebridge.com on the path surface dedicated to the Shopify connector;
  • the public marketing and policy website at https://wbconnect.app;
  • the production AWS environment that backs the application; and
  • the personnel, contractors, sub-processors and supporting services that have access to WB Connect production systems and the data they process.

This Policy does not cover:

  • the WMS deployment that the 3PL Warehouse Customer runs to operate its warehouse — the 3PL Warehouse Customer is a separate user of the Warehouse Bridge platform with its own commercial agreement, and is identified separately throughout this Policy and the Privacy Policy at https://wbconnect.app/privacy;
  • the merchant's own Shopify store, which is operated by the merchant under the merchant's agreement with Shopify Inc.; or
  • the underlying physical fulfilment, storage, carrier or freight services, which are provided by the 3PL Warehouse Customer under that 3PL's separate commercial agreement with the merchant.

1.3 What WB Connect does (security-relevant summary)

WB Connect is a free Shopify-side connector. A Shopify merchant installs WB Connect through the Shopify App Store. The OAuth callback creates a $0.00 / month recurring AppSubscription via the Shopify Billing API — this creates a real merchant-visible billing record in Shopify Admin → Settings → Apps → Charges and satisfies Shopify App Store policy 1.2.1. The merchant is never charged through Shopify or off-platform by Flag Eagle LLC. Any fulfilment, storage or per-shipment charges the merchant pays for the physical movement of goods are billed directly by the 3PL Warehouse Customer under that 3PL's existing B2B contract with the merchant — Flag Eagle LLC is not party to those fees.

Subject to the scopes the merchant authorises during Shopify OAuth, the connector:

  • receives from Shopify via API and webhooks: order data, line items, customer shipping and billing addresses, product catalogue, inventory levels, fulfilment status and store metadata; and
  • writes back to Shopify: fulfilment events, tracking numbers and inventory updates.

Webhooks subscribed include order events, product create/update/delete and inventory level updates, plus the four Shopify-mandated compliance webhooks described in Section 13.

2. Security Programme Objectives

The WB Connect security programme is designed to:

  • protect the confidentiality, integrity and availability of merchant data, end-customer data and operational data passed through WB Connect;
  • comply with applicable laws — including the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively the "CCPA"), applicable other US state privacy statutes (including the Nevada online privacy notice requirements at NRS 603A.340 and the Nevada security and breach-notification requirements at NRS 603A.210 and NRS 603A.220), the UK General Data Protection Regulation and the UK Data Protection Act 2018 ("UK GDPR") for UK data subjects, and the EU General Data Protection Regulation ("EU GDPR") for EEA data subjects;
  • meet the security and platform requirements of the Shopify Partner Programme Agreement and the Shopify App Store policies;
  • support the contractual commitments we make to merchants and to 3PL Warehouse Customers in the Terms and Conditions, the Data Processing Addendum and the Service Level Agreement; and
  • continuously improve our posture as the product, the platform and the regulatory landscape evolve.

We align our control set to the NIST Cybersecurity Framework (CSF) 2.0 functions — Govern, Identify, Protect, Detect, Respond, Recover. We are not currently SOC 2 attested; SOC 2 Type I readiness work is on the WB Connect roadmap and we will update this Policy when that scope changes. We do not currently claim ISO/IEC 27001 certification.

3. Governance and Responsibilities

3.1 Ownership

Overall accountability for information security rests with Flag Eagle LLC's leadership. Day-to-day responsibility for the WB Connect security programme — risk assessment, vendor review, incident response coordination, and security-control implementation — sits with the WB Connect engineering function under that leadership.

3.2 Privacy and data-protection contact

Privacy and data-protection enquiries, data subject requests and questions about this Policy should be directed to privacy@warehousebridge.com. The data-protection contact at Flag Eagle LLC monitors that mailbox and coordinates response with engineering and legal as required. We do not maintain a formal "Data Protection Officer" appointment under UK GDPR Article 37 because our processing does not meet the mandatory-DPO thresholds; the privacy mailbox provides a single, monitored channel for the same purpose.

3.3 Policy review

This Policy is reviewed at least annually and following any material change to:

  • the WB Connect architecture or sub-processor set;
  • the applicable regulatory landscape;
  • the Shopify Partner Programme or App Store policies; or
  • an incident that surfaces a control gap that this Policy needs to reflect.

The "Last Updated" date at the top of this Policy is changed each time the Policy is materially revised.

4. Infrastructure Security

4.1 Hosting

Production WB Connect workloads run on Amazon Web Services in the eu-west-2 (Ireland) region. AWS-operated infrastructure in other regions may be used for resilience, disaster recovery and content-delivery purposes; any such use is supported by Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the UK Addendum to the EU SCCs and/or the UK International Data Transfer Addendum, and — where the receiving AWS entity is self-certified — the EU-U.S. Data Privacy Framework and the UK Extension.

AWS is responsible for the security of the cloud (physical data-centre security, hardware, hypervisor, baseline network). Flag Eagle LLC is responsible for security in the cloud (the WB Connect application, its configuration, the data it processes, the identities that access it). AWS publishes its own audited compliance posture, including SOC 1/2/3, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018 and ISO/IEC 27701; we rely on those attestations for the underlying physical and platform layer.

4.2 Network architecture

  • WB Connect runs inside a hardened Amazon VPC. Production subnets that hold the application and database tiers are not directly reachable from the public internet.
  • Inbound traffic terminates on Elastic Load Balancing in front of the application tier; only the load balancer is exposed to the internet, and only on ports 80 (redirect to HTTPS) and 443.
  • Security groups are configured on a default-deny basis and opened only for the specific source-port-destination combinations required to deliver the service.
  • Outbound egress from production is limited to the destinations required for the Shopify API, AWS service endpoints, AWS SES, Stripe Billing API administration, and operating-system / package mirrors used by automated patching.

4.3 Compute and storage

  • Compute runs on managed AWS services with current, supported runtimes. Long-lived hosts are kept current with vendor-supplied security patches.
  • EBS volumes that back compute hosts are encrypted at rest with AES-256 using AWS-managed keys.
  • Persistent data stores (relational database, object storage) are encrypted at rest with AES-256.
  • S3 buckets that hold WB Connect data are private by default, block all public access, and require TLS for in-transit access (aws:SecureTransport enforced).

4.4 Transport security

  • All public-facing endpoints require TLS 1.2 or higher. Legacy SSL and TLS 1.0/1.1 ciphers are disabled.
  • HTTPS is enforced end-to-end for the application surface and for the public website at https://wbconnect.app.
  • HTTP Strict Transport Security (HSTS) is enabled on application endpoints.
  • Outbound calls to the Shopify API, AWS SES, Stripe Billing API and other sub-processor endpoints are made over TLS, and the remote certificates are validated.

5. Application Security

5.1 Authentication and session management

  • The application back end is built on the Flask framework. Browser session authentication is implemented with Flask-Login, with signed session cookies marked HttpOnly, Secure and SameSite=Lax (or stricter where compatible with OAuth callbacks).
  • Sessions time out on inactivity. Logout invalidates the server-side session record.
  • Shopify-initiated requests are authenticated using the OAuth flow defined by Shopify, with state-parameter and HMAC verification on the OAuth callback as required by the Shopify Partner Programme.
  • Shopify webhooks are verified using the HMAC signature in the X-Shopify-Hmac-Sha256 header before any business logic runs. Webhooks with missing, invalid or replayed signatures are rejected with HTTP 401.

5.2 Authorisation

  • Access inside the application is constrained by an internal access-control model. Merchant-facing accounts auto-provisioned during the Shopify install are issued an access_scope of shopify_merchant and are scoped to the merchant-facing routes only; warehouse-only routes (administration, CRM, advanced WMS analytics) are denied at the request-handler level.
  • Tenant isolation is enforced server-side: queries that read merchant or 3PL data are filtered on the tenant identifier and the request's authenticated session, not on client-supplied parameters.

5.3 Input validation, output handling and abuse controls

  • Templates use auto-escaping by default to mitigate cross-site scripting (XSS).
  • Database access uses parameterised ORM queries through SQLAlchemy; raw SQL is avoided and, where used, parameterised.
  • Cross-Site Request Forgery (CSRF) protection is enforced on state-changing browser routes via Flask-WTF; the CSRF token is delivered via meta[name="csrf-token"] and validated server-side. Programmatic endpoints (Shopify webhooks, Shopify-Billing-API callbacks) are exempted because they are authenticated by HMAC signature instead.
  • Rate limiting is applied via Flask-Limiter. Authentication-sensitive endpoints carry stricter limits (for example, the warehouse-user login route is limited to five attempts per minute per source).
  • Account lockout is enforced on warehouse-user login: ten failed attempts in a fifteen-minute window triggers a fifteen-minute lock. Lockout events are logged.
  • Security-relevant response headers — Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy, Content-Security-Policy (where compatible with Shopify-served content), X-Frame-Options / frame-ancestors — are set on application responses.

5.4 Secure development

  • Source code is version-controlled in Git. Changes to production code go through pull-request review before merge.
  • Secrets — API tokens, database credentials, signing keys — are never committed to source control. They are supplied to production via environment variables, sourced from AWS-managed secret storage and process-level configuration. Local development uses .env files that are excluded from version control.
  • Dependencies are pinned. Automated dependency-vulnerability scanning runs against the repository and surfaces advisories from the Python Packaging Advisory Database, the GitHub Advisory Database and equivalent sources.
  • Build and deployment artefacts are produced from the controlled main branch.

6. Identity and Access Management (Operations)

6.1 Principle of least privilege

Production access is granted on a need-to-know basis and is removed when no longer required. AWS Identity and Access Management (IAM) roles and policies are scoped to the smallest practical set of actions and resources. We do not use the AWS account root identity for day-to-day operations.

6.2 Multi-factor authentication

  • Multi-factor authentication (MFA) is required for all administrative identities that have access to the production AWS account, the production source-code repository, the Shopify Partner Dashboard, the domain registrar, the Stripe Billing administration console and the AWS SES sending console.
  • Hardware security keys are used for the most sensitive identities where the underlying console supports them; time-based one-time-password (TOTP) authenticators are used elsewhere.

6.3 Access reviews

Access to production and to administrative consoles is reviewed when an individual's role changes, on termination, and at planned intervals. Dormant accounts are disabled.

6.4 Separation between WB Connect and Warehouse Bridge customers

The WB Connect application surface (app.warehousebridge.com on the Shopify connector routes) is logically separated from administrative warehouse-facing surfaces by the access-scope model described in Section 5.2. A merchant cannot access warehouse-administrative routes, and a non-administrative warehouse user cannot access another tenant's data.

7. Data Security

7.1 Data classification

WB Connect handles the following broad data categories:

  • Merchant data received from Shopify — order data, line items, customer shipping and billing addresses, product catalogue, inventory levels, fulfilment status, store metadata.
  • Operational data — webhook event records, sync state, audit logs, error telemetry.
  • Account data — the auto-provisioned merchant user record (deterministic email of the form shopify+{shop_handle}@warehousebridge.local or, where discoverable from the Shopify shop record, the real shop owner email), access_scope and password hash for the random, never-used password.
  • Billing record data — references to the merchant's $0.00 / month Shopify AppSubscription, held in our database for reconciliation. No merchant payment card data is ever received, stored or processed by WB Connect.

7.2 Encryption

  • In transit: TLS 1.2 or higher for all external traffic and for internal traffic that crosses an AWS availability zone boundary or a service boundary where the service supports TLS.
  • At rest: AES-256 for EBS volumes, the relational database tier and S3 objects that hold WB Connect data. Key material is managed by AWS Key Management Service (KMS) under AWS-managed keys.
  • Secrets: Production secrets are held in environment variables sourced from AWS-managed secret stores. Long-lived static credentials are rotated periodically and on suspicion of compromise.
  • Password storage: Application user-record passwords (including the random never-used passwords issued to auto-provisioned Shopify merchant users) are stored as salted hashes using a modern password-hashing function. Plaintext passwords are never written to logs or persisted to disk.

7.3 Data minimisation and retention

  • We collect from Shopify only the data needed to perform the connector function. We do not request scopes beyond those declared in the Shopify Partner Dashboard and in the merchant-facing OAuth consent screen.
  • We do not sell merchant data, end-customer data or store-operational data, and we do not use it for advertising, profiling or model training.
  • Retention periods are described in the Privacy Policy at https://wbconnect.app/privacy. On Shopify-triggered deletion events (the customers/redact and shop/redact webhooks described in Section 13), data is deleted or de-identified in accordance with the timelines those policies set.

8. Backups, Resilience and Disaster Recovery

8.1 Backups

  • The production relational database is backed up automatically. Backups are encrypted at rest with AES-256 and are held within the AWS eu-west-2 environment in a separate availability zone from the primary database.
  • Object storage is configured to retain previous versions of critical objects and is protected against accidental deletion through bucket policy and lifecycle configuration.

8.2 Resilience

  • The application tier is designed to tolerate the loss of a single availability zone in eu-west-2 without service interruption.
  • The database tier uses automated failover within eu-west-2.

8.3 Disaster recovery

  • We maintain a documented recovery process for restoring WB Connect from backup in the event of regional or environment-level loss.
  • Recovery objectives (RTO and RPO) are documented internally and are restated in the Service Level Agreement at https://wbconnect.app/sla.
  • Recovery procedures are tested periodically. Test outcomes feed back into the disaster-recovery documentation.

9. Logging, Monitoring and Incident Response

9.1 Logging

WB Connect captures application logs, authentication events, webhook receipt and verification outcomes, OAuth callbacks, billing-API callbacks, and administrative-action audit events. Logs are written to a managed log store within the production AWS environment and are protected from in-place modification.

Personal data is minimised in logs. Where it would be useful for debugging but harmful to log in clear, we log identifiers rather than payloads.

9.2 Monitoring

  • Application errors and exceptions are surfaced through monitoring dashboards and alerting channels.
  • Webhook delivery anomalies (signature-verification failures, replay attempts, sustained delivery failures from Shopify) are alerted on.
  • AWS native security signals — CloudTrail-style audit events, root-account use, IAM-policy changes, MFA disablement — are monitored and alerted on.

9.3 Incident response

We maintain an internal incident-response process covering identification, containment, eradication, recovery, notification and post-incident review.

  • The on-call channel for security incidents and abuse reports is abuse@warehousebridge.com.
  • The privacy / data-protection escalation channel is privacy@warehousebridge.com.
  • Confirmed personal-data breaches are notified in accordance with applicable law. For UK data subjects we notify the Information Commissioner's Office under UK GDPR Article 33 within 72 hours of becoming aware where the breach meets the notification threshold. For EEA data subjects we notify the lead supervisory authority within the same timeframe under EU GDPR Article 33. For data subjects whose data is protected by US state breach-notification statutes — including, where applicable, the Nevada security-breach disclosure requirements at NRS 603A.220, the California disclosure requirements at California Civil Code §1798.82, and equivalent statutes in other states — we notify affected individuals and the relevant Attorneys General in the most expedient time possible and without unreasonable delay, consistent with the needs of law enforcement and the integrity of the investigation.
  • Affected merchants and 3PL Warehouse Customers are notified directly when a breach affects their data, in accordance with the Data Processing Addendum at https://wbconnect.app/dpa.

9.4 Coordinated disclosure

Security researchers and reporters can report a vulnerability or a suspected incident in good faith to abuse@warehousebridge.com. We welcome reports made under accepted coordinated-disclosure practice. We do not currently operate a paid bug-bounty programme. We will acknowledge reports promptly and we will not pursue legal action against researchers who act in good faith, who do not access more data than is necessary to demonstrate the issue, who do not degrade the service, and who give us a reasonable period to remediate before public disclosure.

10. Vulnerability Management and Penetration Testing

10.1 Patch management

  • Operating-system packages on long-lived hosts are kept current with vendor security advisories.
  • Application-language dependencies are kept current with security advisories surfaced by automated dependency scanning. High-severity advisories are remediated on a priority basis.

10.2 Vulnerability scanning

  • Automated software-composition-analysis (SCA) scans run against the source repository.
  • Configuration drift in the AWS environment is monitored using AWS-native tooling.

10.3 Penetration testing

We commission an independent third-party penetration test of the WB Connect application at least once every twelve months and after any architectural change that materially alters the attack surface. Findings are tracked through to closure on a risk-weighted basis. A summary of the testing posture (scope, vendor, date of most recent test) is available to merchants and 3PL Warehouse Customers under a non-disclosure agreement on request to privacy@warehousebridge.com.

11. Third-Party Risk and Sub-Processors

11.1 Selection and review

We assess third-party vendors that process or have access to WB Connect production data before engagement and at planned intervals during the relationship. The assessment considers security posture, available independent assurance (SOC 2, ISO/IEC 27001, equivalent), data-protection commitments, and the jurisdictions in which processing takes place.

11.2 Sub-processors

Our current production sub-processors, the role each fulfils for WB Connect and the location of processing are listed in the Privacy Policy at https://wbconnect.app/privacy (Section 5.3 of that document) and in the Subprocessors page at https://wbconnect.app/subprocessors. In summary they are:

  • Amazon Web Services, Inc. — compute, database and object-storage hosting; primary processing in AWS eu-west-2 (Ireland).
  • Amazon Simple Email Service (AWS SES) — transactional email delivery (install confirmations, security notices, webhook acknowledgements).
  • Stripe, Inc. and its affiliates — Stripe is used by Flag Eagle LLC for general business-billing administration only. Stripe is not used to charge any Shopify merchant in connection with WB Connect. The $0.00 / month WB Connect AppSubscription is administered exclusively through the Shopify Billing API.

Each sub-processor is bound by a written data-processing agreement that meets the CCPA's service-provider requirements and (for data of data subjects in the UK or EEA) Article 28 UK GDPR / EU GDPR.

11.3 Sources and recipients that are not Flag Eagle sub-processors

For clarity:

  • Shopify Inc. is the source platform from which we receive merchant and end-customer data via the Shopify APIs and webhooks. Shopify is not a sub-processor of Flag Eagle LLC; the parties' respective roles are defined by the Shopify Partner Programme Agreement and Shopify's own Data Processing Addendum.
  • The 3PL Warehouse Customer to which the merchant elects to connect is not a sub-processor of Flag Eagle LLC. The 3PL Warehouse Customer is selected and contracted by the merchant, and the merchant's relationship with the 3PL is governed by the merchant's own contract with that 3PL.

12. Personnel Security

  • Personnel with access to WB Connect production systems are subject to written confidentiality obligations.
  • Background checks, where lawful in the jurisdiction in which the individual is engaged, are completed before access is granted to production systems that hold personal data.
  • Security awareness — phishing resistance, secure handling of credentials, recognition of social-engineering pretexts, secure use of personal devices — is reinforced periodically.
  • On separation, access is revoked, credentials are rotated where shared in any inherited capacity, and devices used to access production are recovered or remotely revoked.

13. Shopify Platform Compliance and GDPR Webhooks

13.1 GDPR webhooks

WB Connect implements the four Shopify-mandated compliance and uninstall webhooks at the application surface app.warehousebridge.com, on the path /shopify/webhooks/compliance (and the corresponding uninstall handler):

  • customers/data_request — when a Shopify store owner receives a data-access request from a customer for data the store has shared with WB Connect, Shopify posts this webhook to our endpoint. We respond to the merchant in accordance with the timelines in our Privacy Policy and Data Processing Addendum so that the merchant can fulfil the request to the customer.
  • customers/redact — when a customer of a Shopify store invokes a deletion right, Shopify posts this webhook to our endpoint. WB Connect deletes or de-identifies that customer's personal data within the timelines stated in our Privacy Policy.
  • shop/redact — when forty-eight (48) hours have elapsed after a merchant uninstalls WB Connect, Shopify posts this webhook to our endpoint. WB Connect deletes or de-identifies the shop's personal data within the timelines stated in our Privacy Policy.
  • App uninstalled — Shopify notifies our endpoint when a merchant uninstalls WB Connect. Access tokens are invalidated immediately on receipt.

All four endpoints verify the Shopify HMAC signature on the request body before any action is taken, and reject requests that fail signature verification.

13.2 Shopify Billing API

The WB Connect AppSubscription is created via the Shopify Billing API on a $0.00 / month recurring basis during the post-install OAuth callback. This is the only billing mechanism associated with WB Connect; merchants are never charged off-platform by Flag Eagle LLC for use of the WB Connect connector. Test-mode subscriptions are auto-detected from the Shopify shop plan (partner-test, affiliate and staff stores) so reviewer installs do not result in live billing records being created during evaluation.

13.3 Partner Programme alignment

We comply with the Shopify Partner Programme Agreement, the Shopify App Store policies and the Shopify API terms. Changes to those policies that affect WB Connect are tracked, and the relevant areas of this Policy and the Privacy Policy are updated.

14. Compliance Posture

14.1 Frameworks we align to

  • NIST Cybersecurity Framework (CSF) 2.0 — control alignment.
  • Shopify Partner Programme and Shopify App Store policies — platform compliance and the GDPR-webhook obligations described in Section 13.

14.2 Privacy law

  • CCPA (as amended by the CPRA) — applicable to personal information of California residents that we process.
  • Other US state privacy statutes — applicable to residents of states whose statutes apply to our processing, including the Nevada provisions at NRS 603A (online privacy notice, security and breach notification).
  • UK GDPR and the UK Data Protection Act 2018 — applicable to personal data of UK data subjects.
  • EU GDPR — applicable to personal data of EEA data subjects.

Flag Eagle LLC is the US data importer for transfers of UK or EEA personal data to the United States. Where any such transfer occurs, it is supported by the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum to the EU SCCs or the UK International Data Transfer Agreement as appropriate, and the supplementary measures recommended by the European Data Protection Board in EDPB Recommendations 01/2020 — encryption in transit and at rest, access controls limiting administrative reach into the data, and transparency about government-access requests as described in the Privacy Policy.

14.3 Independent attestations

We are not currently SOC 2 attested and we are not currently ISO/IEC 27001 certified. We rely on AWS's published attestations (SOC 1/2/3, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27701) for the infrastructure layer that AWS operates on our behalf. SOC 2 Type I readiness work is on the WB Connect roadmap; this Policy will be updated when our independent-attestation status changes. We do not represent equivalence to attestations we have not yet obtained.

14.4 PCI-DSS

WB Connect does not receive, store, process or transmit payment card data. Merchant payment for any fulfilment, storage or per-shipment charges is handled directly by the merchant's 3PL Warehouse Customer under the merchant's separate contract with that 3PL. The $0.00 / month WB Connect AppSubscription is administered through the Shopify Billing API. As a consequence, WB Connect is out of scope for the Payment Card Industry Data Security Standard.

15. Customer Responsibilities

Security is shared. To get the protection this Policy describes, merchants and 3PL Warehouse Customers should:

  • protect the Shopify Admin login that authorises the WB Connect install — including MFA on the Shopify Admin user that performs the OAuth flow;
  • review the scopes WB Connect requests at OAuth time and uninstall WB Connect from Shopify Admin if those scopes are no longer wanted;
  • review the access granted to internal staff within their own Shopify Admin and within their own WMS environment;
  • promptly report suspected compromise of credentials, suspicious activity or any other security concern to abuse@warehousebridge.com.

16. Changes to This Policy

We will update this Policy from time to time. The "Last Updated" date at the top of the Policy reflects the date of the most recent material revision. Where a change introduces a new sub-processor, broadens the data we collect, materially reduces a control described here, or otherwise affects the protections described in this Policy, we will additionally notify merchants and 3PL Warehouse Customers in accordance with the notice provisions in the Data Processing Addendum at https://wbconnect.app/dpa and the Terms and Conditions at https://wbconnect.app/terms.

17. Contact

For questions about this Policy, security enquiries, due-diligence requests, or to report a vulnerability or a suspected incident:

  • General and support: support@warehousebridge.com
  • Privacy, data-protection and data subject requests: privacy@warehousebridge.com
  • Security incidents, vulnerability reports and abuse: abuse@warehousebridge.com
  • Legal: legal@warehousebridge.com
  • Website: https://wbconnect.app
  • Postal: Flag Eagle LLC, 401 Ryland Street STE-200, Reno, NV 89502, United States.

18. Governing Law

This Policy is published by Flag Eagle LLC, a Nevada limited liability company, and is governed by the laws of the State of Nevada, United States, without regard to its conflict-of-law principles. Any dispute arising out of or relating to this Policy will be resolved by binding arbitration administered by the American Arbitration Association in accordance with its commercial arbitration rules, with the seat of arbitration in Nevada, United States. Nothing in this Section limits any right that a UK or EEA data subject has under the UK GDPR or the EU GDPR (including the right to lodge a complaint with a supervisory authority), nor any right that a California resident has under the CCPA, nor any right that a Nevada resident has under NRS 603A, nor any other non-waivable statutory right.

Top