Security
Commerce OS is built to a launch-ready security posture — narrow PCI scope, strong cryptography, audited dependencies, and the data-rights endpoints regulators expect.
Encryption
Every secret column (MFA TOTP secrets, OAuth refresh tokens) sits behind authenticated AES-256-GCM. HTTP traffic enforces TLS 1.2 minimum with HSTS preload. Stripe payment data never touches our servers — tokenized at the reader + hosted-checkout boundary.
Compliance
Card data flows entirely through Stripe (we store last-4 + brand only). GDPR Art. 15 export + Art. 17 erasure are live merchant endpoints with a 30-day grace + automated anonymization. CCPA right-to-know + right-to-delete share the same surface.
Audit cadence
OWASP Top-10 self-assessment runs every quarter against an explicit checklist (4 grep commands + a manual permission-guard sweep). WCAG 2.1 AA accessibility audit on the same cadence with axe-DevTools across dashboard + storefront + POS web.
PCI-DSS
Commerce OS handles card data exclusively through Stripe’s tokenization rails. Stripe Terminal tokenizes card-present transactions at the reader; Stripe Checkout tokenizes online + storefront orders at the hosted page. The merchant’s browser, our API, and our database NEVER see a full PAN, CVV, or magnetic-stripe data.
What we DO store: stripe_payment_intent_id, card.brand, card.last4 — exactly the surface a merchant needs for receipt rendering and refund initiation. Nothing more.
This is the SAQ-A scope (the smallest PCI-DSS form factor), appropriate for merchants whose sole touchpoint with cardholder data is a tokenization service. Operator responsibilities (key rotation, network policy, info-sec policy) are documented in our internal compliance reference; merchants subject to their own PCI obligations should reach out to [email protected] for a copy of our SAQ-A attestation.
Privacy + data rights
GDPR / UK GDPR / CCPA / CPRA all converge on the same data-subject rights. We surface them as live API endpoints, not a contact-our-DPO email.
GDPR Art. 15 / CCPA §1798.110
GET /auth/export-data returns every PII column we hold for the calling user, including their employment relationship + last 90 days of time-clock entries + lifetime tip-attribution summary + order-attribution count, all in machine-readable JSON. Throttled at 5/hour.
GDPR Art. 17 / CCPA §1798.105
DELETE /auth/account schedules a 30-day soft-delete with an explicit grace window. After 30 days, an automated anonymization cron scrubs PII from auth.users + auth.sessions + auth.pin_codes; financial records are retained per IRS + FLSA requirements with the user reference set to NULL.
GDPR Art. 16
Standard PATCH /users/:id surface, gated on the user themselves or an org admin with auth.manage_users.
GDPR Art. 20
The same /auth/export-data endpoint as Art. 15 — JSON shape is portable across any platform that consumes ECMA-404 (which is most of them).
Customer-side rights (consumers of merchant orders) are honored via the merchant-admin path: the dashboard’s Customer Detail page carries Delete + Export Data actions for any customer the merchant has on file.
Sub-processors
GDPR Article 28 requires we name our processors + state what data each one receives. Here’s the full catalog.
| Processor | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing (Terminal + Checkout) | Card data (tokenized at reader/checkout boundary), customer email + name on storefront orders |
| Twilio | SMS (OTP login, order confirmations, reservation reminders) | Customer phone numbers, message bodies |
| SendGrid | Transactional email | Customer + employee email addresses, message bodies |
| DoorDash Drive | Last-mile delivery dispatch | Order subtotal, delivery address, customer name + phone |
| Uber Direct | Last-mile delivery dispatch (alternative) | Order subtotal, delivery address, customer name + phone |
| Sentry | Crash reporting + performance monitoring | Stack traces with sensitive fields auto-scrubbed (password, token, PIN, OTP, etc.) |
| Render | Application hosting + managed Postgres + Redis | Full application data (encrypted at rest in their data centers) |
Sub-processor list is current as of May 2026. Material changes are communicated to merchants 30 days before they take effect.
Audit + retention
Financial records
7 years
IRS retention floor for transaction-level revenue records. Stripe payments, tips, gift-card transactions, refunds, returns all retained.
Time-clock entries
3 years
FLSA recordkeeping minimum. Time entries, breaks, schedule shifts, and payroll-export records.
Audit log
7 years
Tracks every write-path operation across the platform: who did what, when, on which resource, with before/after diff. Read via /settings/audit-log on the dashboard.
Page-view + UI-event telemetry
13 months
Anonymous-aggregate enrichment for usage analytics. PII (actor IDs) is anonymized at the GDPR-erasure boundary.
Sentry crash reports
30 days
Sensitive fields are auto-scrubbed before transmission. Reports drop off automatically per Sentry’s retention policy.
Backups
30 days rolling
Encrypted Postgres pg_dump + S3 sync via the operator runbook in docs/runbooks/postgres-backup-restore.md. Quarterly restore drills.
Responsible disclosure
Email [email protected] with reproduction steps. We acknowledge within one business day, triage to a SEV level, and confirm resolution timing in writing. We don’t run a paid bug bounty yet — but we credit security researchers in the changelog (with permission).
Please don’t test on real merchant data. We can stand up a dedicated test environment for active research engagements — request access.
We’ll send you our SAQ-A attestation, sub-processor agreements, and the OWASP Top-10 audit doc. No NDA gating.
