Table of Contents

Protected Customer Data

Colin Updated by Colin

ShipStream takes data privacy seriously, in particular the names, company names, addresses, and contact information of your customers. This data is commonly referred to as Personally Identifiable Information (PII) or Protected Customer Data (PCD). Not only do we protect this data from unnecessary disclosure or breach, but we also provide you with the tools to effortlessly:

  1. Protect it from unnecessary exposure with Masking. It's better to simply not show the data if it isn't necessary!
  2. Know who has accessed what data with Logging. If someone does view it, you need to keep a record of it! If they didn't, you need to be able to confidently deny it!
  3. Delete the data when there is no longer a reasonable need for it with Retention. If you don't have it, you can't possibly find yourself in a "situation" with it and if you do find yourself in a situation, the less you have, the better!

These aren't just common sense and best practices, they are also required to one degree or another by common data privacy requirements such as:

However, we understand there is not a one-size-fits-all solution to these problems so we leave the control over your masking and retention up to you!

Even if ShipStream and your company successfully stave off all overt security threats and follow the principle of least privilege religiously, your clients and users and potentially any number of indirect contacts or system integrations that have access to the PCD still create exposure risk and could inadvertently or maliciously cause data to be leaked through no fault of yours or ours. Therefore, choosing the shortest feasible data retention policy to reduce the impact of such risks is strongly recommended.


Throughout the user interfaces, PCD is masked by a blur effect. If you wish to view the underlying data, simply click the blurry text and it will be revealed! Requiring users to opt-in to viewing PCD will greatly reduce the amount of PCD that ends up being exposed, increase accountability, and make auditing the logs more manageable.

When a user requests the data in this way, the access is logged automatically and unavoidably as described in the Logging section below.
You may search the masked grid columns as normal without clicking to reveal any data.

After clicking any of the blurred text on the page, all of the data will be revealed.

The data is only retrieved on request, it does not actually exist behind the blur so there is no possibility of hacking it without clicking to reveal it and thereby logging the access to it.

Unmasked Data

There are a few places where data may be unmasked by default if it is required for the functionality of the page and the user has the PCD permission, such as classifying an address. In these cases, the amount of data shown is restricted to just what is necessary.

Show PCD

For those times when you need to repeatedly reveal the masked data, you can set it to automatically be revealed for the next 15 minutes. Ideally, you should turn it off when you're done, but if you forget, no sweat!

Of course, all PCD viewed with the Show PCD feature enabled will still be logged to the audit log so ideally this should not be overused.

Exporting PCD

By default, exporting grids that contain PCD will only export the masked data (each character except for spaces is replaced with "#"). If you wish to export the PCD as well, you need to use the "Show PCD" feature described above before clicking Export.


The user interfaces can be configured to behave as if the Show PCD toggle described above is always toggled on. When Masking > Always Show PCD is enabled, users with PCD permission will see all PCD revealed at all times, and users without PCD permission will only see masked data and still cannot click to unmask it. There are two separate configuration fields for controlling the Masking feature in the Admin UI and the Client UI, respectively.

  • System > Configuration
    • General > Privacy > Masking > Always Show PCD for the Admin UI
    • Clients > Privacy > Masking > Always Show PCD for the Client UI
    Logging of PCD access will still occur while Always Show PCD is enabled so this option will significantly increase the amount of PCD logging, making auditing of the logs less feasible.


An audit log record is written every time a user or API performs one of the following:

  • Reveals PCD by clicking on it, exporting it, or otherwise views it on-page while using the Show PCD feature
  • Downloads or prints a document that likely includes PCD (packing slip, shipping label, etc.)
  • Causes a transactional email that contains PCD to be sent
  • Preserves PCD for an object
  • Expunges PCD for an object

The log records include the following columns:

  • Timestamp
  • User ID
  • Merchant ID
  • Entity Type (order, return, edi_document, import_task_record)
  • Entity ID
  • Unique ID (increment_id of the order/return)
  • Action (view, export, download, print, preserve, expunge)
  • Endpoint URL
  • Endpoint Type (client, admin, merchant_api, global_api, automationv1)
  • Keys Accessed (name, company, street, telephone, email - comma-separated list)
  • Remote IP
  • User Agent

Audit logs are retained indefinitely.

Currently, this log is not directly available to end users, please contact us if you need to inspect the logs and we'd be happy to share them with you. In a future version of ShipStream they will be easy to search, download, monitor, and report.


ShipStream can automatically "expunge" your PCD on a set schedule for you. Expunged does mean it's truly gone so please be cognizant of the potential for unintended data loss.

Typically you or your clients will have their own CRM that is the source of truth for customer data so keeping it in the WMS/OMS is completely unnecessary. For example, orders in ShipStream can be correlated to customer orders in the CRM by order number.

When expunged, the PCD will appear as black boxes and cannot be revealed by clicking or exporting.

If an order's PCD is expunged, you will not be able to void any existing shipping labels for the order to avoid a situation where you cannot re-ship an order. Also, to reorder an order with expunged PCD, you will need to re-enter the expunged data.
ShipStream does not take any responsibility for data expunged based on your retention policies or the actions of your users. Data restoration from backups may be available for a short time after data is expunged, but recovery is not a normal process and thus will incur a non-trivial recovery fee.

Orders with expunged data will still be associated in the "Related Orders" tab of the order page with other orders that have or had the same email address or street address before being expunged.

The original data is not retained for this purpose, but rather "hashed" using a strong hashing algorithm that allows the records to be associated with one another in a way that cannot feasibly be reversed to reveal the original data. We do not consider this to be a retention of customer data since to reveal the data you have to already know the data and the fact that some orders are related to one another with no known name, address, or contact information does not constitute a significant level of private information.


Customize your PCD retention policy to suit your needs at System > Configuration > General > Privacy. Here you may choose a retention policy for each major category of PCD to suit your needs.

You may override the retention policy for individual Merchants and Brands, so if you have specific partners that require stricter policies than others you may easily configure different policies for them.

You are fully responsible for observing the PCD retention requirements and regulations set forth by your business partners and in your jurisdictions. ShipStream does not take any responsibility for your failure to comply with such requirements and regulations based on your configured retention policy and will not modify your configuration - it is up to you to determine what configuration is appropriate for your business and apply it as needed.

Preservation and forced Expungement

You can prevent automatic or manual expungement of PCD with the Preserve PCD mass action on the order grid, and reverse this with the Un-Preserve PCD mass action.

Similarly, you can instantly expunge PCD for completed orders manually by using the Expunge PCD mass action. This is not reversible, but you will be prevented from expunging data for incomplete orders with a warning:


If some users have no legitimate business need to view the PCD you can simply not grant their user roles the "Protected Customer Data" role resource.

Principle of least privilege: The principle of least privilege is a security concept in which all users are afforded the minimum levels of access or permissions needed to perform their jobs. Most if not all data protection regulations require that you practice this principle.

In the case of a user lacking the PCD role resource, the data will always be masked, and clicking it will not cause it to be revealed. Instead, a tooltip will explain that they lack permission to view it.

The minimal role resources required to view clickable masked data is the "Protected Customer Data" role resource without the sub-resources:

Additionally, you can grant permissions for exporting, expunging, and preserving (or un-preserving) PCD independently.

There are some cases where users without the PCD role resource are still able to lay their eyes on the data when it is unavoidable to perform their duties such as printing packing slips and shipping labels (we have not yet developed technology to blur and un-blur paper). Additionally, the Reorder feature is not available for users who do not have permission to view PCD since it would reveal the PCD.

How did we do?

Login via Badge

Technical Contact