AURA Automations

Security & Data Protection

AURA is designed to plug into your ecommerce stack without taking unnecessary risks. We minimise the data we store, lock down access and keep you in control at all times.

Read-only where possible, least-privilege access everywhere else.
Encrypted connections between AURA, Shopify and your other tools.
Clear offboarding: one click to revoke keys, users and automations.

If you have an internal security review or DPA, we’re happy to work through it and shape your AURA setup to match. No forced black-box SaaS.

Security console • Overview

Live posture snapshot

Access & permissions

Least privilege

Only the scopes each system genuinely needs.

All keys reviewable

Shopify: per-store API keys
Sheets / DB: restricted views
Email / CRM: role-based access

Data handling

Minimised

We only store what each workflow needs.

No card data, no passwords
PII kept in your tools where possible
Logs focused on events & errors

How AURA connects to your stack

Integrations without lock-in

AURA systems are built on top of the same tools you already trust — Shopify, Google, Klaviyo, your helpdesk and your warehouse / logistics stack. We use each platform’s official authentication and permissions model so you keep ownership and can revoke access at any time.

Permissions & scopes

Read-only access wherever a system only needs to analyse data.
Write permissions limited to the specific objects a workflow updates.
Separate API keys for different brands / stores so access is isolated.
Option to run sensitive automations inside your own accounts/tools.

Credentials & secrets

API keys stored in the underlying automation platform’s secret manager.
No sharing of plain-text credentials in docs, email or chat.
Rotation support during onboarding and offboarding.
Access can be restricted to your own SSO / admin users where supported.

Data handling

What AURA systems see (and don’t see)

Each system has a defined data footprint. We map this with you during onboarding so your team knows exactly which tables, objects and events are in scope — and which are explicitly out.

Typical data in-scope

Order, product, collection and catalogue data from your store.
Marketing performance metrics (ad spend, clicks, campaigns).
Content objects: blogs, landing pages, tickets, reviews and UGC.
High-level customer attributes used for segments and cohorts.

Data kept out of scope

No card or payment details; we use your PSP’s references only.
No staff passwords or direct database root access.
No unnecessary exports of raw PII outside your core tools.
Optional anonymisation for historical data used in modelling.

Control & oversight

You stay in charge of your automations

Logging & approvals

Key systems (support, email, SEO changes) can run in “draft first” mode.
Activity logs show which workflow changed what and when.
Roll-back paths agreed for theme, content and CRM changes.
Optional weekly summary of automation activity for your leadership team.

Offboarding & deletion

Clear checklist to revoke API keys, accounts and webhooks.
We can hand over all workflows so they run entirely under your ownership.
Optional clean-up of temporary data, staging sheets and test objects.
Documentation pack so future teams understand what was deployed.

Need to run a security review before we start?
Share your requirements, DPAs or security questionnaire and we’ll map your AURA setup to match your policies.

Discuss security in your audit →