We treat your store data and business intelligence with the same seriousness you do.
All data travels over TLS 1.3. Older cipher suites (TLS 1.0/1.1) are disabled.
All database data is encrypted with AES-256. OAuth tokens and API credentials receive an additional application-layer encryption pass before storage.
Passwords are hashed with bcrypt (cost factor 12). Session tokens are short-lived JWTs stored in HttpOnly, Secure, SameSite=Strict cookies. Google OAuth is available for passwordless sign-in.
Production database access requires VPN + MFA and is fully logged. All internal access to customer data follows least-privilege principles and requires a documented reason.
All API endpoints are rate-limited. Auth endpoints include Cloudflare Turnstile bot protection. Unusual usage patterns trigger automatic alerts.
Backend runs on Railway with environment-isolated secrets. Frontend deploys on Vercel with Cloudflare edge DDoS protection. Secrets are environment-variable-only — never committed to source.
Content submitted for AI analysis is sent to Azure OpenAI Services. Microsoft contractually commits that your data is not used to train foundation models. We send minimum necessary data per call.
We maintain an internal incident response runbook. In the event of a confirmed breach affecting user rights, we will notify affected users and regulators within 72 hours per GDPR requirements.
Privacy controls in place. DPA available on request. Data subject request process active.
California consumers may submit requests to privacy@ecomrevhub.com. We do not sell personal data.
We do not store, process, or transmit raw card data. All payments handled by Stripe (PCI Level 1 certified).
Actively pursuing SOC 2 Type II certification. Expected completion: Q4 2026.
All connections enforced over TLS 1.3. TLS 1.0 and 1.1 are disabled.
We welcome security researchers. If you discover a vulnerability, please report it privately before public disclosure. We commit to: