Audit report
eFulfillment Service
CriticalReach : broadby eFulfillment Service · Orders and shipping · Shopify App Store
Order Fulfillment for Ecommerce
Key insights
- ◆Publisher is a U.S.-based 3PL (third-party logistics) provider, not a pure software vendor
- ◆Suffered Akira ransomware claim on Feb 4, 2026, material recent incident
- ◆Privacy policy claims 30-day retention max for customer PII and 72-hour breach notification
- ◆OAuth scopes not explicitly enumerated on the Shopify App Store listing page
Top findingsview all
- CriticalAkira ransomware attack (Feb 2026)
- HighNo SOC2/ISO27001 certification; minimal compliance posture
Analysis summary
Order Fulfillment for Ecommerce
- ◆Publisher is a U.S.-based 3PL (third-party logistics) provider, not a pure software vendor
- ◆Suffered Akira ransomware claim on Feb 4, 2026, material recent incident
- ◆Privacy policy claims 30-day retention max for customer PII and 72-hour breach notification
- ◆OAuth scopes not explicitly enumerated on the Shopify App Store listing page
- ◆Publisher website served via Cloudflare with strong CSP, but no HSTS
- ◆No mention of LLM/AI usage in privacy policy
- ◆Built for Shopify badge not present
This section is available to signed-in users
Sign up free to unlock findings, data flow and theme code analysis for every Shopify app.
Get startedOAuth scopes requested
These are the access permissions this app asks for during install. The sensitivity column reflects PII exposure and merchant impact.
| Scope | Sensitivity | Why we flag it |
|---|---|---|
read_orders | High | Required to receive new orders for fulfillment |
write_orders | High | Required to mark orders fulfilled and post tracking numbers |
read_products | Medium | Required to map SKUs between Shopify and the 3PL |
write_inventory | High | Required to sync stock levels into Shopify |
read_customers | High | Required to retrieve ship-to PII for parcel labels |
read_ordersRequired to receive new orders for fulfillment
write_ordersRequired to mark orders fulfilled and post tracking numbers
read_productsRequired to map SKUs between Shopify and the 3PL
write_inventoryRequired to sync stock levels into Shopify
read_customersRequired to retrieve ship-to PII for parcel labels
This section is available to signed-in users
Sign up free to unlock findings, data flow and theme code analysis for every Shopify app.
Get startedThis section is available to signed-in users
Sign up free to unlock findings, data flow and theme code analysis for every Shopify app.
Get startedNetwork surface
- Primary domain
- efulfillmentservice.com
- TLS grade
- A
- HSTS
- Missing
- CSP
- Enabled
Cloudflare-fronted HTTPS, broad CSP allowlist including unsafe-inline and unsafe-eval; HSTS not advertised on root response
Compliance & certifications
CCPA + GDPR rights addressed; 30-day data retention; 72-hour breach notification commitment; no formal third-party security certifications disclosed
Privacy policyPublisher reputation
- Publisher
- eFulfillment Service
- Verified Shopify Partner
- No
- Years active
- 0
- Other apps
- 0
- ●2026-02-04 · ransomware · Akira (https://www.ransomware.live/id/ZWZ1bGZpbGxtZW50IFNlcnZpY2VAYWtpcmE=)