ThatWasAI LogoBack to Home

Security Practices

Last Updated: June 24, 2026

We take a proactive, multi-layered approach to security. This document details how we encrypt data, handle integrations, protect APIs, and restrict AI operations to protect your business and your customers.


1. Data Encryption

All data transmitted to or from the Platform is protected by encryption standards:

  • In Transit: All web traffic and API calls are forced to use TLS 1.3 encryption (SSL) to prevent interception.
  • At Rest: Merchant profile data, store configurations, call transcripts, and metadata are encrypted in our databases at rest using AES-256 volume encryption.

2. Secure Shopify OAuth Integration

That Was AI uses official Shopify OAuth workflows to integrate with your storefront:

  • Minimal Permission Scopes: We request only the permissions strictly required to execute support actions: customer verification (read_customers), order status lookups/modifications (read_orders, write_orders), and product availability lookups (read_products, read_inventory). We do not request access to payment credentials or sensitive store settings.
  • Token Vaulting: Shopify offline access tokens are securely vault-stored in our PostgreSQL database and are accessed exclusively by server-side processes. They are never exposed to the frontend or sent to client-side components.

3. API & Webhook Verification

To ensure all actions executed on your Shopify store are valid, we secure webhook and callback channels:

  • Shopify Signature Matching: Every inbound webhook from Shopify (such as app uninstallation requests) is verified using Base64 SHA256 HMAC signature validation comparing the header to calculated secrets using timing-safe comparisons (timingSafeEqual) to prevent timing attacks.
  • Secure Telephony Callback Scoping: Voice assistant tool invocations are isolated at the database level using unguessable random identifiers (CUIDs) scoped strictly to each merchant store, preventing cross-tenant request forgery.

4. AI Operation Safeguards & Fraud Prevention

To protect against unauthorized order cancellations or address updates, our AI assistants enforce strict verification rules:

  • Mandatory Caller Verification: Before the AI shares tracking details or performs order modifications (such as updating shipping address or canceling an order), it requires the caller to provide their Order Number along with the registered Email Address or Phone Number. If the details do not match the order record on Shopify, the action is blocked.
  • No LLM Training on Your Data: We do not use your customers' voice recordings, call transcripts, or shop data to train public LLM models. Your store data remains isolated.
  • Fulfillment Checkups: The AI registry checks the status of an order prior to canceling or updating it. If an order is already fulfilled or in transit, modifications are automatically blocked to prevent delivery fraud.

5. Reporting a Security Issue

We welcome security disclosures. If you discover a vulnerability or security issue, please contact us immediately via email at support@thatwasai.com. We will investigate and respond to disclosures promptly.