Starship
starship / search / efulfillment-service-order-fulfillment-for-ecommerce

Audit report

eFulfillment Service

CriticalReach : broad

by eFulfillment Service · Orders and shipping · Shopify App Store

Orders and shipping
Risk level
Critical
Executive summary

Order Fulfillment for Ecommerce

Key insights

  • Publisher is a U.S.-based 3PL (third-party logistics) provider, not a pure software vendor
  • Suffered Akira ransomware claim on Feb 4, 2026, material recent incident
  • Privacy policy claims 30-day retention max for customer PII and 72-hour breach notification
  • OAuth scopes not explicitly enumerated on the Shopify App Store listing page

Top findingsview all

  • Critical
    Akira ransomware attack (Feb 2026)
  • High
    No SOC2/ISO27001 certification; minimal compliance posture
Synthesis

Analysis summary

Order Fulfillment for Ecommerce

Key insights
  • Publisher is a U.S.-based 3PL (third-party logistics) provider, not a pure software vendor
  • Suffered Akira ransomware claim on Feb 4, 2026, material recent incident
  • Privacy policy claims 30-day retention max for customer PII and 72-hour breach notification
  • OAuth scopes not explicitly enumerated on the Shopify App Store listing page
  • Publisher website served via Cloudflare with strong CSP, but no HSTS
  • No mention of LLM/AI usage in privacy policy
  • Built for Shopify badge not present

This section is available to signed-in users

Sign up free to unlock findings, data flow and theme code analysis for every Shopify app.

Get started
Permissions

OAuth scopes requested

These are the access permissions this app asks for during install. The sensitivity column reflects PII exposure and merchant impact.

read_orders
High

Required to receive new orders for fulfillment

write_orders
High

Required to mark orders fulfilled and post tracking numbers

read_products
Medium

Required to map SKUs between Shopify and the 3PL

write_inventory
High

Required to sync stock levels into Shopify

read_customers
High

Required to retrieve ship-to PII for parcel labels

This section is available to signed-in users

Sign up free to unlock findings, data flow and theme code analysis for every Shopify app.

Get started

This section is available to signed-in users

Sign up free to unlock findings, data flow and theme code analysis for every Shopify app.

Get started
Attack surface

Network surface

Primary domain
efulfillmentservice.com
TLS grade
A
HSTS
Missing
CSP
Enabled

Cloudflare-fronted HTTPS, broad CSP allowlist including unsafe-inline and unsafe-eval; HSTS not advertised on root response

Posture

Compliance & certifications

GDPR webhooks Pass
SOC 2 Type II Fail
ISO 27001 Fail
PCI DSS Fail

CCPA + GDPR rights addressed; 30-day data retention; 72-hour breach notification commitment; no formal third-party security certifications disclosed

Privacy policy
Track record

Publisher reputation

Publisher
eFulfillment Service
Verified Shopify Partner
No
Years active
0
Other apps
0
Past incidents
  • 2026-02-04 · ransomware · Akira (https://www.ransomware.live/id/ZWZ1bGZpbGxtZW50IFNlcnZpY2VAYWtpcmE=)
LLM exposure

AI / LLM usage

No LLM usage detected. This app does not appear to forward any customer or merchant data to large-language-model providers.