1. Infrastructure
- Hosted on enterprise-grade cloud infrastructure with EU and US regions.
- Production network is isolated by private networking, security groups and private subnets.
- All traffic is encrypted in transit (TLS 1.2+); data at rest uses AES-256.
- Daily encrypted backups, point-in-time recovery up to 7 days.
2. Application security
- Row-level security on every multi-tenant table.
- Strict CSP, HSTS, X-Frame-Options, and other modern security headers.
- Static analysis, dependency scanning and secret scanning on every push.
- Annual third-party penetration test; quarterly internal pen-test.
3. Access control
- SSO + hardware MFA mandatory for all staff.
- Principle of least privilege; production access is just-in-time and audited.
- Quarterly access reviews; immediate revocation on offboarding.
4. Monitoring & incident response
- 24/7 on-call rotation, paging on SLO breach.
- Centralised logging with 90-day retention and tamper-evident hashing.
- Defined incident response runbook; customer notification within 72 hours for any confirmed breach.
5. Compliance
- GDPR and CCPA compliant.
- SOC 2 Type II audit in progress.
- PCI-DSS scope is reduced via tokenised payments handled by a certified PCI-DSS Level 1 processor.
6. Responsible disclosure
We welcome security researchers. Please email security@storeboostpro.comwith reproduction steps. Do not access data that is not yours, do not run automated scans on production, and give us 90 days before public disclosure. We acknowledge within 1 business day and credit researchers in our hall of fame.