Skip to content
Shopify-embedded · DPA-covered session

Sign in to Sumeru.

Sumeru is an embedded Shopify app. You sign in by opening it from your store admin — identity, RBAC, and session lifecycle ride on your Shopify staff account, so there's no separate Sumeru password to manage.

For Shopify merchants

Open Sumeru from your Shopify admin

Sign in to your Shopify admin first; Sumeru opens inside it as an embedded app. SSO is handled by Shopify — no separate credentials.

  1. 1 Sign in to admin.shopify.com for the store you operate.
  2. 2 From the sidebar, click AppsSumeru Systems.
  3. 3 The Sumeru workspace opens inside your admin. Permissions follow your Shopify role; Sumeru adds per-engine scopes on top.
Open Shopify admin Can't find the app?
Identity model
  • Shopify is the source of truth. Staff accounts, role assignments, and 2FA enrollment live in your Shopify admin. Sumeru reads them.
  • RBAC composes, doesn't fork. Your Shopify role provides the baseline; Sumeru adds per-engine scopes on top, never overrides upstream.
  • Deprovisioning is immediate. Disable a Shopify staff account and the user's Sumeru session terminates on next request.
  • No password to lose. Sumeru holds no merchant-side credential, so there's nothing for an attacker to phish from us.
Compliance & legal

Attestations covering every signed-in session

Sign-in events and high-risk actions are written to the audit log under your executed DPA. Reports below; SOC 2 Type II shipped under NDA on request.

SOC 2 Type II
In progress

Audit firm engaged · target 2026 Q2 · report under NDA on request

GDPR
Compliant

DPA available · Article 28 processor

ISO 27001
2026 Q4

Scope defined · gap analysis underway

HIPAA
Available

BAA available on request for relevant verticals

PCI DSS L1
Via Shopify

Card data never touches Sumeru; PCI L1 inherited from Shopify

DPA-covered session

When you sign in, you operate under the Data Processing Addendum between Sumeru Systems and your organisation (or the standard online DPA at /legal/dpa if no negotiated agreement exists). Sign-in events, role changes, permission grants, and high-risk actions are retained in the audit log under the access controls defined in the DPA.

Read the DPA Subprocessor list Request SOC 2 report (under NDA) Full security architecture →
Enterprise sign-in roadmap

What's coming for enterprise authentication

We ship enterprise auth in phases — each item below has a target quarter and is tracked publicly. Subscribe to /roadmap or talk to sales for procurement-cycle timing.

  • 2026 Q2
    SAML 2.0 + SCIM 2.0 sign-in for Enterprise tier
  • 2026 Q2
    FIDO2 / WebAuthn hardware-key enrollment for owners
  • 2026 Q3
    IP allow-listing + configurable session TTL per workspace
  • 2026 Q3
    EU data-residency sign-in endpoint (login.eu)
  • 2026 Q3
    Agency console — standalone portfolio sign-in
  • 2026 Q4
    ISO 27001 certification
  • 2026 Q4
    APAC region (login.apac) for Sydney data residency
Public roadmap Talk to us about procurement timing →
No Sumeru account yet?

See Sumeru on your data in thirty minutes.

30-minute call, screen-share on your data (or a representative sample), written deployment plan in the follow-up. Procurement-ready packet — DPA, subprocessors, security questionnaire — provided for evaluation cycles.

Book a demo → See pricing Enterprise tier →