Skip to main content
Security

How we protect your data.

The non-marketing version — what we actually do, what we do not do yet, and how to report a vulnerability.

Architecture

Tenant-isolated, not just tenant-scoped.

Every customer gets a dedicated database. We do not use a shared schema with a tenant_id column — there is no row-level multi-tenancy. Your inventory, customer and order data live in their own database, on shared infrastructure but in separate logical tenancies, via Stancl Tenancy.

The central database holds your account, subdomain, subscription and the encrypted credentials for your marketplace connections. Tenant databases hold everything else.

Why this matters. A bug in our authorization layer can leak data within your tenant. It cannot leak data across tenants. The blast radius of an access mistake is one customer's data, not all of it.
Encryption

At rest, in transit, and on the wire to marketplaces.

In transit

TLS 1.2+ on every request. HTTPS-only cookies. No HTTP fallback.

At rest

Database storage encrypted by our hosting provider. Sensitive columns encrypted at the application layer via Laravel's encrypted casts.

Marketplace tokens

OAuth refresh tokens, API keys and webhook secrets are AES-256 encrypted at the column level before they touch disk.

Access control

Roles, permissions, and a paper trail.

Role-based access (RBAC). Owner, admin, manager, picker — granular permissions per role.
Audit log. Every state transition on orders, transfers, pick lists and cycle counts is logged with actor and timestamp.
Session timeout. Sessions expire after inactivity. Configurable per tenant on higher tiers.
CSRF protection. Every mutating request requires a CSRF token. Same-origin policy enforced.
Honest

What we don't have yet.

Most security pages bury the negatives. We list them here so you know going in.

SOC 2 Type II attestation

Targeting Q3 2026. We have the controls; we do not yet have the audit.

HIPAA / healthcare compliance

Not in scope. Don't put PHI in our system.

PCI DSS scope

We don't touch payment card data. Cards go through your marketplace's native payouts, never through us.

Public bug bounty

No public-facing bounty program yet. We do honour responsible disclosure — see below.

Vulnerability disclosure

Found a security issue?

Please email [email protected] with details. We acknowledge within one business day and keep you informed through remediation.

For machine-readable disclosure info, see our /.well-known/security.txt file (RFC 9116).

Security questions for a sales conversation?

Send specifics. Our engineers — not a salesperson — will reply.