Security

Last updated July 18, 2026

Every claim on this page describes something we actually run — no aspirational checkboxes.

1. Encryption

All traffic is served over TLS (Cloudflare at the edge, automatic certificate management at the origin).

Connector credentials are encrypted at rest with AES-256-GCM and are never logged or sent to the browser. API keys are stored only as SHA-256 hashes and shown once at creation. Passwords are hashed with scrypt.

2. Tenant isolation

ShelfReady is multi-tenant by design: every tenant-owned table is accessed exclusively through merchant-scoped queries, and every change to tenant-scoped code ships with an automated isolation test proving one tenant cannot read or write another tenant's data.

3. Infrastructure

The platform runs on EU infrastructure (netcup, Germany) behind Cloudflare. Access to production is restricted to key-based SSH; password authentication is disabled.

The database is backed up automatically on a rolling schedule.

4. Payments

Payments are processed by Stripe. Card data never touches our servers; webhook events are signature-verified and processed idempotently.

5. Integrations

Outbound webhooks are signed with HMAC-SHA256 so your systems can verify every delivery. We recommend read-only API credentials for store connectors — ShelfReady never needs write access to your store.

6. Reporting a vulnerability

Found something? Email [email protected] with details. We read every report, respond as fast as we can, and will credit you if you want. Please avoid accessing other tenants' data while testing.


Questions about this policy? Contact [email protected].