Skip to content

Security and compliance

This article covers Ignyte IQ’s security architecture, data-handling practices, and compliance posture for vendor reviews and DPA negotiations.

Every OAuth integration uses read-only scopes on the source platform. Ignyte IQ does not modify ad campaigns, customer records, product catalogs, or any other data on the source side.

PlatformScopes requested
Shopifyread_orders, read_customers, read_products, read_inventory, read_fulfillments
Google Adsadwords (read-only)
Meta Adsads_read, business_management, read_insights
TikTok AdsRead-only reporting
Pinterest Adsads:read, pins:read
Microsoft AdsRead-only reporting
Amazon AdsRead-only reports (Sponsored Products, Brands, Display)
Google Analytics 4analytics.readonly
Amazon SellerRead-only reports (Orders, Inventory, Sales & Traffic)
StripeRead-only on charges, refunds, payouts

API-key integrations (Klaviyo, Recharge) require read-only access configured on the source side — generate keys with the minimum required scope. OAuth grants and API keys can be revoked at any time on the source platform; revocation immediately stops further syncing.

  • In transit: all connections between source platforms and Ignyte IQ use TLS 1.2+; browser-to-app traffic uses HTTPS; internal service-to-service communication is encrypted.
  • At rest: customer data is encrypted with AES-256, using cloud-provider managed keys (KMS) for rotation and access control. Backups are encrypted.
  • Credentials: OAuth tokens and API keys are stored encrypted and accessed only by sync services; personnel access is logged and audited.

Ignyte IQ retains customer data for the duration of an active subscription:

  • Source data — retained while the integration is connected and the account is active.
  • Calculated metrics — derived from source data; retained alongside.
  • Workspace configurations (Reports, Saved Views, Metric Targets) — retained while the workspace is active.
  • Backups — per the cloud provider’s policies, typically 30 days.

Deleting a workspace removes its configurations and disconnects its datasources. After account cancellation, data is retained for a grace period (typically 30 days) to allow reactivation, then deleted from active systems. To request immediate deletion of specific data or a full account, contact support.

Ignyte IQ supports GDPR compliance for customers handling EU resident data:

  • Data Processing Agreement (DPA) — available on request.
  • Right to access — request your data through support.
  • Right to erasure — handled per the retention-and-deletion policy above.
  • Data residency — primary storage region documented on request.

Sub-processors fall into the following categories; a current list with company names is available under DPA or NDA, and changes are notified per the DPA:

CategoryPurpose
Cloud infrastructureHosting, compute, storage, network
DatabaseCustomer data storage
EmailAccount and product transactional emails
Customer supportTicketing and chat
Monitoring and observabilityError tracking, uptime monitoring
AnalyticsProduct usage analytics

For a DPA, a sub-processor list, or a custom security questionnaire, contact support from the workspace and reference “security documentation request.” Response time depends on the request scope; standard DPAs and questionnaires are prioritized.