Purpose
- Explain what evidence exists for each decision.
- Show how decisions are hashed and timestamped.
- Clarify what is guaranteed versus optional metadata.
Decision evidence (core record)
Each enforcement decision creates a decision record with stable identifiers and timestamps. Checkout IDs are stored as hashes to reduce exposure of shopper data.
The core record is the indexable summary; the archived payload is the replayable envelope.
| Field | Meaning |
|---|---|
| shop_domain | Shopify shop domain that produced the decision. |
| checkout_id_hash | SHA-256 hash of the checkout ID. |
| decision_kind | Normalized kind (blocked, adjusted, allowed, or unknown). |
| reason | Normalized reason code (for example, CM.FLOOR.VIOLATION). |
| rule_code | Policy rule identifier that fired. |
| occurred_at | Unix timestamp for when the decision occurred. |
| event_id | Unique ID for the decision event. |
| metadata | Optional JSON payload for additional context (for example, policy version when provided). |
What is guaranteed
- A decision record is created for every enforcement outcome.
- Each record includes a stable event ID and timestamp.
- Decision kind and normalized reason code are always present.
What is optional
- Policy version metadata, when supplied by the caller.
- Additional contextual metadata provided at decision time.
Integrity evidence
Decision envelopes are stored with a SHA-256 hash and size metadata. An object key points to the archived payload in R2. These fields allow archived decisions to be verified for integrity during audit replay.
| Field | Meaning |
|---|---|
| payload_sha256 | SHA-256 hash of the archived payload. |
| payload_size | Payload size in bytes. |
| payload_r2_key | R2 object key for the archived payload. |
Rollups
Hourly and daily rollups summarize decision counts by shop, decision kind, and reason. These are used for dashboards and trend analysis. Rollups do not replace individual decision records and are not used as primary audit evidence.
Policy versioning
Policy version is recorded when the caller supplies it in decision metadata. If policy version is missing, the decision record still includes the reason and rule code.
Retention and deletion
Data is retained while the app is installed. No decision data is retained after app uninstallation beyond required cleanup windows. Shopify shop redaction triggers data purges in the primary database and registry, with archived payload cleanup performed through maintenance jobs or on request. For more details, see the Privacy policy.
Defensibility checklist
- Decision records contain stable identifiers and timestamps.
- Archived payloads include integrity hashes.
- Rollups support financial review and anomaly detection.
- Optional metadata can record policy version when supplied.