Security

1.1 Encryption at rest. All stored data is encrypted using AES-256 encryption, the same standard used by financial institutions and government agencies worldwide.

1.2 Encryption in transit. All data transmitted between your browser and our servers is protected with TLS 1.3 encryption, ensuring that information cannot be intercepted or tampered with during transmission.

1.3 Key management. Encryption keys are managed using secure key management practices with regular rotation schedules and strict access controls.

2.1 Cloud hosting. Our Services are hosted on secure, SOC 2 compliant cloud infrastructure with enterprise-grade physical and network security controls.

2.2 DDoS protection. We employ DDoS protection and mitigation services to ensure availability and resilience against volumetric and application-layer attacks.

2.3 Redundancy. Our systems are designed with redundancy and automatic failover capabilities to minimize downtime and ensure service continuity.

2.4 Backups. Regular encrypted backups are performed to protect against data loss, with backups stored in geographically separated locations.

3.1 Secure development. We follow secure coding practices, including mandatory code reviews and automated security testing as part of our development lifecycle.

3.2 Authentication. We use OAuth 2.0 authentication with Shopify, ensuring secure and standardized access to your store data without storing your Shopify credentials.

3.3 Input validation. All user inputs are validated and sanitized to protect against injection attacks, cross-site scripting (XSS), and other common vulnerabilities.

3.4 OWASP compliance. Our application is designed and tested to protect against the OWASP Top 10 vulnerabilities, including injection, broken authentication, sensitive data exposure, and security misconfiguration.

3.5 Dependency management. We regularly update dependencies and apply security patches to address known vulnerabilities in third-party libraries and frameworks.

4.1 Minimum permissions. We only request the minimum Shopify permissions necessary to provide our Services. We do not access your customer data, orders, or payment information.

4.2 Principle of least privilege. Internal access to systems and data is restricted based on role and necessity, following the principle of least privilege.

4.3 Data isolation. Customer data is logically isolated between accounts, ensuring that one customer's data is never accessible to another.

6.1 Security audits. We conduct regular security audits and penetration testing to identify and address potential vulnerabilities before they can be exploited.

6.2 Vulnerability scanning. Automated vulnerability scanning is performed on an ongoing basis across our infrastructure and applications.

6.3 Monitoring and logging. Comprehensive audit logging and real-time monitoring are in place to detect and respond to suspicious activity or security incidents.

6.4 Incident response. We maintain documented incident response procedures to ensure timely identification, containment, investigation, and notification in the event of a security incident.

6.5 Employee security. All personnel undergo background checks and receive security awareness training. Access to production systems is strictly controlled and monitored.