🛡️Security Policy

1. Overview

Security is a shared responsibility. While we implement industry-standard security measures to protect the Platform, you are responsible for securing your account, devices, and data.

Important: No system is 100% secure. While we strive to protect your information, we cannot guarantee absolute security against all threats. Use of the Platform is at your own risk.

2. Security Measures We Implement

2.1 Encryption

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS (Transport Layer Security)
• Encryption at Rest: Data stored in our database is encrypted at rest via Supabase
• Secure Connections: All API calls and webhooks use encrypted connections

2.2 Authentication & Access Control

• Passwordless Login: Magic link authentication via Supabase Auth eliminates password-related vulnerabilities
• Secure Session Management: HTTP-only, secure, SameSite cookies prevent session hijacking
• Row Level Security (RLS): Database access is restricted so merchants can only access their own data
• Service Role Protection: Administrative credentials are never exposed to clients

2.3 Payment Security

• PCI-DSS Compliance: Payment card data is processed and stored by Stripe, not AdaptiveShop
• No Card Storage: We never store full credit card numbers—only card brand and last 4 digits
• Stripe Connect: Funds go directly to merchant Stripe accounts; AdaptiveShop never holds funds
• Webhook Verification: All Stripe webhooks are cryptographically verified before processing

2.4 Infrastructure Security

• Cloud Hosting: Platform hosted on Vercel with industry-standard security practices
• Database Security: PostgreSQL database hosted on Supabase with encryption and access controls
• Environment Variables: API keys and secrets are stored securely and never exposed to clients
• Regular Updates: Dependencies and infrastructure are kept up to date with security patches

2.5 Application Security

• Input Validation: All user inputs are validated and sanitized
• SQL Injection Protection: Parameterized queries prevent SQL injection attacks
• XSS Protection: Content is escaped to prevent cross-site scripting attacks
• CSRF Protection: Cross-site request forgery protection via secure headers and tokens
• Rate Limiting: Utilities in place to prevent abuse (implementation ongoing)

2.6 Monitoring & Logging

• Webhook Logging: All Stripe events are logged for auditing and debugging
• Email Logging: Transactional emails are logged for compliance and troubleshooting
• Order History: Audit trail of all order changes and updates
• Error Monitoring: Application errors are tracked for rapid response

3. Your Security Responsibilities

As a user of the Platform, you are responsible for:

3.1 Account Security

• Secure Email Access: Protect your email account with a strong password and two-factor authentication
• Magic Link Security: Do not share magic link emails with others
• Device Security: Keep your devices secure with passwords, encryption, and anti-malware software
• Public Computers: Avoid logging in on public or shared computers
• Suspicious Activity: Report unauthorized access immediately

3.2 Data Protection

• Backups: Maintain your own backups of critical data (products, orders, customer info)
• Customer Data: Protect customer information in accordance with privacy laws (GDPR, CCPA, etc.)
• Third-Party Services: Secure your Stripe, ShipEngine, and POD provider accounts
• API Keys: Keep API keys confidential and do not share them publicly

3.3 Content Security

• Malware-Free Uploads: Do not upload files containing malware, viruses, or malicious code
• Safe Links: Do not include phishing links or malicious URLs in product descriptions
• Intellectual Property: Only upload content you own or have rights to use

4. What We Do NOT Guarantee

While we implement security best practices, we do NOT guarantee:

• Absolute Security: No system is 100% secure against all threats
• Zero Downtime: The Platform may experience outages, maintenance, or security incidents
• Data Preservation: Data may be lost due to technical failures, security incidents, or other events
• Prevention of All Attacks: Sophisticated attackers may bypass security measures
• Third-Party Security: We are not responsible for security of third-party services (Stripe, ShipEngine, etc.)
• Account Compromise: We are not liable for losses due to compromised email or device security

Use of the Platform is at your own risk. See our Terms of Service for detailed limitations of liability.

5. Reporting Security Issues

5.1 Responsible Disclosure

If you discover a security vulnerability or issue with the Platform, please report it to us responsibly:

5.2 What NOT to Do

When reporting security issues, please do NOT:

• Publicly disclose the vulnerability before we have addressed it
• Exploit the vulnerability for malicious purposes
• Access, modify, or delete data that does not belong to you
• Perform actions that could harm the Platform or other users
• Demand payment or rewards for disclosure

5.3 Our Response Process

When you report a security issue:

• We will acknowledge receipt of your report
• We will investigate and assess the severity
• We will work to address critical issues as promptly as possible
• We will notify you when the issue is resolved (if you provided contact info)

Note: As a small team, we may not be able to respond immediately. We appreciate your patience and responsible disclosure.

6. Security Incident Response

6.1 In the Event of a Breach

If we become aware of a security breach that may affect your data, we will:

• Investigate the incident and assess the impact
• Take steps to contain and remediate the breach
• Notify affected users via email as promptly as possible
• Comply with applicable data breach notification laws
• Cooperate with law enforcement if appropriate

6.2 Your Actions After a Breach

If you are notified of a security incident:

• Review the notification carefully
• Change your email password if email compromise is suspected
• Monitor your Stripe account and bank statements for unauthorized activity
• Notify your customers if their data may be affected (as required by law)
• Follow any additional instructions provided in the notification

6.3 Limitation of Liability

To the maximum extent permitted by law, AdaptiveShop is not liable for damages arising from security incidents, data breaches, unauthorized access, or loss of data. See our Terms of Service for detailed limitations of liability.

7. Third-Party Security

We use third-party services that have their own security practices:

7.1 Stripe (Payment Processing)

• Stripe is PCI-DSS Level 1 certified (highest security standard)
• Payment data is processed and stored by Stripe, not AdaptiveShop
• Review Stripe's Security Documentation

7.2 Supabase (Database & Auth)

• Supabase provides encryption at rest and in transit
• Row Level Security (RLS) ensures data isolation
• Review Supabase's Security Practices

7.3 Other Services

• Resend (Email): Transactional email delivery with encryption
• ShipEngine: Shipping API with secure connections
• Vercel (Hosting): Secure cloud hosting infrastructure

Important: We do not control third-party security. Please review their security policies and practices.

8. Compliance

AdaptiveShop is committed to complying with applicable security and privacy laws, including:

• GDPR: EU General Data Protection Regulation (for EU users)
• CCPA/CPRA: California Consumer Privacy Act (for California residents)
• PCI-DSS: Payment Card Industry Data Security Standard (via Stripe)

For more information about data protection, see our Privacy Policy.

9. Updates to This Policy

We may update this Security Policy from time to time to reflect changes in our practices, technology, or legal requirements. Changes will be posted on this page with an updated "Last Updated" date. Continued use of the Platform after changes constitutes acceptance of the revised policy.

10. Contact Information

For security questions, vulnerability reports, or incident notifications:

📧 [email protected]
🌐 https://adaptiveshop.ai

If you're a merchant and need support, see our Merchant Support Page.