Last Updated: January 6, 2026

1. Introduction

At Shoparn, we take data security seriously. This Data Security Policy outlines the technical and organizational measures we implement to protect your information.

This policy applies to all data processed through our Services.

2. Our Security Commitment

We are committed to:

  • Protecting your data from unauthorized access, disclosure, alteration, or destruction
  • Maintaining the confidentiality, integrity, and availability of your information
  • Complying with applicable data protection laws and industry standards
  • Continuously improving our security practices

However, no system is 100% secure. We cannot guarantee absolute security but strive to implement industry best practices.

3. Data Encryption

3.1 Data in Transit

All data transmitted to and from our Services is encrypted using:

  • TLS 1.2 or higher (Transport Layer Security)
  • HTTPS protocol for all web communications
  • Secure WebSocket connections for real-time features

We do not support unencrypted HTTP connections.

3.2 Data at Rest

Stored data is encryptepted:

  • AES-256 encryption for sensitive data (passwords, API keys, tokens)
  • Database-level encryption provided by our infrastructure (Supabase)
  • Encrypted backups with separate encryption keys

Sensitive fields encrypted at rest:

  • User passwords (hashed with bcrypt + salt)
  • API keys and access tokens
  • Payment information (handled by Stripe, PCI-DSS compliant)
  • OAuth credentials

4. Access Controls

4.1 Authentication

User Authentication:

  • Strong password requirements (minimum 8 characters, complexity rules)
  • Secure password hashing (bcrypt algorithm with salt)
  • Session management with secure, HTTP-only cookies
  • Automatic session expiration after inactivity
  • Optional: Two-factor authentication (2FA) – planned feature

4.2 Authorization

Role-Based Access Control (RBAC):

  • Users can only access their own data
  • Permissions enforced at API and database levels
  • Principle of least privilege applied

4.3 Internal Access

Employee and contractor access:

  • Limited to authorized personnel only
  • Multi-factor authentication (MFA) required
  • Access logs monitored and audited
  • Immediate revocation upon termination
  • Non-disclosure agreements (NDAs) signed

We do NOT access your data unless:

  • You explicitly request support
  • Required for troubleshooting (with your permission)
  • Legally obligated (with notice when permitted)

5. Infrastructure Security

5.1 Hosting and Cloud Security

Our infrastructure is hosted on trusted providers:

Vercel (Application Hosting):

  • SOC 2 Type II certified
  • DDoS protection
  • Automatic SSL certificate management
  • Edge network for performance and security

Supabase (Database):

  • Built on AWS infrastructure
  • Database encryption at rest
  • Automatic backups (encrypted)
  • Network isolation and VPC security

Railway (Backend Services):

  • Secure container orchestration
  • Network isolation
  • Automatic security patches

Replicate (AI Processing):

  • Secure API communication
  • Images processed in real-time, not stored permanently
  • SOC 2 compliant

5.2 Network Security

  • Firewalls protecting all infrastructure
  • DDoS mitigation at CDN and network levels
  • Rate limiting to prevent abuse
  • IP allowlisting for sensitive operations (where applicable)
  • VPN access for internal administrative functions

5.3 Application Security

Secure Development Practices:

  • Code reviews for all changes
  • Automated security scanning (dependencies, vulnerabilities)
  • Input validation and sanitization
  • Output encoding to prevent XSS attacks
  • SQL injection prevention (parameterized queries)
  • CSRF protection with tokens
  • Security headers (Content-Security-Policy, X-Frame-Options, etc.)

6. Data Backup and Recovery

6.1 Automated Backups

  • Database backups: Daily automated backups
  • Backup encryption: AES-256 encryption
  • Backup storage: Separate geographic location from primary data
  • Backup retention: 30 days rolling retention
  • Backup testing: Regular restore tests to ensure integrity

6.2 Disaster Recovery

Business Continuity Plan:

  • Documented recovery procedures
  • Recovery Time Objective (RTO): 24 hours
  • Recovery Point Objective (RPO): 24 hours
  • Failover capabilities for critical systems
  • Regular disaster recovery drills

7. Monitoring and Incident Response

7.1 Security Monitoring

24/7 Monitoring:

  • Real-time alerts for suspicious activity
  • Log aggregation and analysis
  • Automated threat detection
  • Uptime monitoring
  • Performance monitoring

Security Logging:

  • Authentication attempts (successful and failed)
  • API access logs
  • Data access and modifications
  • Administrative actions
  • Security events (e.g., failed logins, unusual patterns)

Log Retention: 90 days for operational logs, longer for security incidents

7.2 Incident Response

If a security incident occurs:

Immediate Actions:

  1. Contain the incident to prevent further damage
  2. Investigate the scope and impact
  3. Notify affected users (within 72 hours if data breach)
  4. Report to regulatory authorities (if legally required)
  5. Implement remediation measures

Notification:

  • Email notification to affected users
  • Public disclosure if required by law
  • Details on incident nature, affected data, and remediation steps

Post-Incident:

  • Root cause analysis
  • Security improvements to prevent recurrence
  • Documentation and lessons learned

8. Third-Party Security

8.1 Vendor Management

All third-party service providers are evaluated for:

  • Security certifications (SOC 2, ISO 27001, PCI-DSS)
  • Data protection policies
  • Compliance with GDPR, CCPA, and other regulations
  • Contractual data protection obligations

We only work with reputable, security-conscious vendors.

8.2 Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with all processors handling your data, ensuring:

  • Appropriate security measures
  • Confidentiality commitments
  • Sub-processor transparency
  • Data breach notification obligations

9. Compliance and Certifications

We comply with:

  • GDPR (General Data Protection Regulation – EU)
  • CCPA (California Consumer Privacy Act – USA)
  • SOC 2 principles (Security, Availability, Confidentiality)
  • OWASP Top 10 security best practices

Certifications (planned/in progress):

  • SOC 2 Type II audit
  • ISO 27001 certification (future goal)
  • PCI-DSS compliance (via Stripe for payments)

10. Employee Security Training

All team members receive:

  • Security awareness training
  • Phishing simulation exercises
  • Data protection and privacy training
  • Secure coding practices (for developers)
  • Regular security updates and refresher training

We enforce:

  • Confidentiality agreements
  • Acceptable use policies
  • Clean desk policies
  • Device security requirements (encrypted laptops, strong passwords)

11. Physical Security

Office and Equipment Security:

  • Locked facilities with access control
  • Visitor sign-in procedures
  • Encrypted laptops and mobile devices
  • Screen locks and automatic logout
  • Secure disposal of hardware (data wiping/destruction)

Note: We operate primarily as a distributed team with cloud infrastructure, minimizing physical security risks.

12. User Responsibilities

To keep your account secure, you should:

  • Use a strong, unique password
  • Never share your password or API keys
  • Enable two-factor authentication (when available)
  • Log out after use on shared devices
  • Keep your software and devices updated
  • Report suspicious activity immediately
  • Review account activity regularly

We will never ask for your password via email or phone.

13. Data Minimization

We collect only what’s necessary:

  • We don’t request unnecessary personal information
  • We limit data retention to required periods
  • We anonymize analytics data
  • We delete data upon account termination

14. Penetration Testing and Audits

Regular Security Assessments:

  • Annual third-party penetration testing
  • Quarterly internal vulnerability scans
  • Dependency security audits (automated)
  • Code security reviews
  • Infrastructure security audits

Findings are promptly addressed and remediated.

15. Bug Bounty Program

We welcome responsible disclosure of security vulnerabilities.

If you discover a security issue:

  1. Email security@shoparn.com
  2. Provide detailed information to reproduce the issue
  3. Allow reasonable time for us to address the issue before public disclosure
  4. Do not exploit the vulnerability or access user data

We commit to:

  • Acknowledge your report within 48 hours
  • Provide status updates during investigation
  • Credit responsible researchers (if desired)
  • Consider rewards for significant findings (at our discretion)

16. Security Breach Notification

In the event of a data breach:

We will notify you within 72 hours if:

  • Personal data was accessed or disclosed
  • The breach poses a risk to your rights or interests

Notification will include:

  • Nature of the breach
  • Data affected
  • Likely consequences
  • Measures taken to address the breach
  • Recommended actions for affected users

We will also report to regulatory authorities as required by law.

17. Updates to This Policy

We may update this Data Security Policy to reflect new security practices or legal requirements.

Updates will be communicated via:

  • Updated “Last Updated” date
  • Email notification for significant changes
  • Notice on our website

18. Security Contact

To report security issues or ask security questions:

Email: support@shoparn.com (Subject: “Security Inquiry”)
Emergency Security Issues: security@shoparn.com

We take all security reports seriously and will respond promptly.

19. Transparency

We believe in security through transparency:

  • We openly communicate our security practices
  • We disclose incidents when appropriate
  • We provide clear information about data handling
  • We respond to security questions honestly

If you have questions about our security practices, please contact us.