We keep your data
where we can see it.
We take your eshop data and your customers' data seriously. This page describes how we approach security: where our servers run, how we encrypt traffic and sensitive data, and how we stay compliant with the GDPR. We only write about what is actually in place.
Encryption at every layer
All traffic between you and the platform goes exclusively over TLS, nothing travels unencrypted. Sensitive data such as API keys and third-party credentials is additionally encrypted at the application level with AES-256-GCM.
GDPR without the asterisks
Our processing of personal data is described in the privacy policy, including the list of sub-processors. You can export your data from the platform at any time, so portability is covered. The data processing agreement is available to download.
Data isolated per organization
Every database query is strictly bound to your organization. Only a user with a role and permission for the data can reach it, nothing more. One organization never sees into another's data.
AI done honestly
AI features run through contracted processors, Anthropic and OpenAI, which you find in the list of sub-processors. We use your eshop data only for tasks you request yourself. Under these providers' terms, API data is not used to train their models.
Responsible vulnerability disclosure
Found a security issue? Write to us at [email protected]. The rules for responsible disclosure are in the /.well-known/security.txt file. We take every report seriously and get back to you.
Security is never finished
We do not want to promise stamps we do not have yet. We would rather tell you plainly what is coming.
Two-factor authentication (2FA)
We are working on 2FA for admin sign-in, so a leaked password alone cannot open the account.
Formal certification
We are considering SOC 2 certification as our enterprise segment grows. Until we have it, we do not claim we do.
A question about security?
Write to us and we will gladly explain how we protect your data. The list of sub-processors and a signed data processing agreement are available on request.