Security & Compliance

Transport & Storage

• TLS 1.2+ for all traffic
• Passwords hashed with bcrypt
• API tokens encrypted at rest
• Daily backups and tested restores

Access Control

• Least‑privilege app roles
• Scoped API keys (29Next & ShipHero)
• Admin audit trail
• Session hardening & 30‑day remember‑me rotation

Operations

• Incident response & runbooks
• Webhook signature verification
• Rate‑limit aware retries
• Monitoring & alerting

Payments

Stripe processes all payments. Card data never touches our servers (PCI handled by Stripe).