Legal · StorePack
Security overview
Last updated: 2026-05-11
We treat security as a product property, not a paperwork exercise. This page summarizes the controls — encryption, tenant isolation, and incident-response process. Report vulnerabilities to security@storepack.app.
Tenant isolation
Every tenant-scoped table has Row Level Security enabled with a policy that checks org_idagainst the caller's membership. The default Supabase client used in user-facing routes is the anonymous client with the user's JWT — RLS denies cross-tenant reads at the database level. Server-side admin access is restricted to a small set of webhook and cron handlers and never reachable from the browser.
Encryption
WooCommerce REST credentials and per-tenant secrets are encrypted at rest using envelope encryption with a per-row data key wrapped under a key-encryption key. Communication between StorePack and your store uses TLS 1.3 with certificate validation; older clients negotiate down to TLS 1.2 minimum (TLS 1.0/1.1 are refused).
SSRF protection
Every outbound HTTP fetch in the scraper layer flows through a guard that blocks loopback, link-local, RFC1918, cloud-metadata, and CGN ranges, re-validates the resolved IP on each redirect hop (max 3), drops Cookie and Authorization headers on cross-origin redirects, and enforces a 10-second timeout and 5 MB body cap.
Authentication
Authentication is handled by Supabase Auth with magic-link email codes. Session cookies are HttpOnly, Secure, and SameSite=Lax. Two-factor authentication and WebAuthn passkeys are on the roadmap for Q3 2026.
Rate limits
Baselines applied per IP and per organization on sensitive endpoints: authentication 5 requests / minute / IP; outbound scraper 10 runs / hour / org; uploads 20 / hour / org; WooCommerce sync 1 / minute / org. Public endpoints are protected by a durable counter (Upstash) rather than in-memory state, so limits survive cold starts.
Webhooks
Inbound webhooks (Paddle, WooCommerce) verify signatures in constant-time and are idempotent via a deduplication table keyed on (provider, external_id).
Backups & disaster recovery
Supabase performs daily backups with a 7-day point-in-time recovery window (PITR enabled in production). We test restores monthly to a staging environment. RTO target: 1 hour. RPO target: 1 hour, backed by PITR rollback granularity.
Vulnerability disclosure
Email security@storepack.app with the details. We acknowledge within 48 hours, triage within 5 business days, and credit researchers (with consent) in the changelog.
Compliance roadmap
StorePack is built on EU infrastructure and GDPR-aligned. SOC 2 Type 1 readiness audit is scheduled for Q4 2026; SOC 2 Type 2 follows in 2027 after the required observation window. Customers can request the gap assessment under NDA in the meantime.
Questions? support@storepack.app