Security

Encryption

• In transit: TLS 1.2+ for all customer and inter-service traffic.
• At rest: AES-256 on managed databases, object storage, and backups.
• Secrets stored in a managed secrets service, never in source.

Access controls

• SSO and MFA required for all employee access to production systems.
• Role-based access with least privilege; production access is audited and time-bound.
• Customer data access by employees is limited to support cases initiated by the customer or to investigate active incidents.

Infrastructure

The product runs on AWS in hardened VPCs with private networking between services. We segment environments (dev, staging, prod), version-control infrastructure where practical, and patch managed services on the provider’s cadence.

SOC 2 Type II is in progress. We are not yet certified; we are happy to share our current control map and roadmap on request.

Incident response

We maintain a written incident response plan with defined severity levels, on-call rotation, and post-mortem practice. Customers are notified of confirmed Personal Data breaches without undue delay and within 72 hours per our DPA.

Penetration testing

We conduct internal security reviews on each major release and engage external penetration testers periodically. Summary letters are available to enterprise customers under NDA.

Responsible disclosure

If you believe you have found a security vulnerability, please email security@shopthru.ai with reproduction steps. Please give us a reasonable window to investigate and remediate before public disclosure. We will acknowledge receipt within two business days.

Contact

Security: security@shopthru.ai · Legal: legal@shopthru.ai