Security practices

1. Infrastructure

• Hosted on Railway (EU-West region — data stays in the EU)
• PostgreSQL database with encryption at rest
• HTTPS only — TLS 1.2+ via Let's Encrypt, HSTS enabled
• DDoS mitigation at the edge layer

2. Payment security

• All payments handled by Stripe (PCI-DSS Level 1 certified)
• Card numbers are never seen, never logged, never stored by Frictionless
• Stripe webhook validation via cryptographic signatures (HMAC-SHA256)
• Failed verifications are rejected with HTTP 401

3. Data security

• Database backups encrypted, retention 30 days
• Production access: founder-only via SSH key + 2FA
• Application logs anonymized where possible, retention 90 days
• No third-party SaaS has database-level access

4. Shopify OAuth security

• OAuth 2.0 flow with HMAC signature validation on every callback
• State-token CSRF protection on every authorization
• Access tokens stored encrypted at rest
• GDPR mandatory webhooks live + HMAC-validated:
  • POST /webhooks/customers/data_request
  • POST /webhooks/customers/redact
  • POST /webhooks/shop/redact
• Invalid HMAC → HTTP 401, no further processing

5. Pixel security

• Cookieless tracking by default
• No PII collected unless explicit opt-in
• Pixel events aggregated; no individual customer tracking
• Pixel-installed stores can request a full data export at any time

6. Incident response

• Report security issues to enrico.boeker@gmx.de
• Acknowledgement target: 24 hours
• Critical issues: hotfix + customer notification target 72 hours
• Coordinated disclosure preferred; please give us a chance to patch before public disclosure

7. Compliance

• GDPR-compliant by design (see /privacy for data-handling detail)
• Shopify App Store mandatory compliance webhooks live
• No data sold to third parties
• EU-West hosting; no transfers to third countries by default

8. Responsible disclosure