They have very loose controls at shopify - no ISMS, no standard key controls - bluntly, it’s a miracle they haven’t had much worse happen yet. They’re not even ISO27001 compliant or certified.
This may have been true in the past, however per https://www.shopify.com/security they are SOC2-certified (SOC2 is significantly more common in North America), they are certainly PCI Level 1, and have GDPR/CCPA compliance requirements. You can also see their 2019 Transparency Report: https://www.shopify.com/security/transparency-report/report-.... It is still possible that their SOC2 and PCI reports could have a number of exceptions, but I would be surprised at this point in their maturity cycle.
Most small SaaS companies, the sort I have worked for, have literally zero controls for this sort of thing. I would expect more of a 100+ billion dollar company like Shopify, but frankly I am not surprised.