Security · StorePack

Tenant isolation

Every tenant-scoped table has Row Level Security enabled with a policy that checks org_idagainst the caller's membership. The default Supabase client used in user-facing routes is the anonymous client with the user's JWT — RLS denies cross-tenant reads at the database level. Server-side admin access is restricted to a small set of webhook and cron handlers and never reachable from the browser.

Encryption

WooCommerce REST credentials and per-tenant secrets are encrypted at rest using envelope encryption with a per-row data key wrapped under a key-encryption key. Communication between StorePack and your store uses TLS 1.2+ with certificate validation.

SSRF protection

Every outbound HTTP fetch in the scraper layer flows through a guard that blocks loopback, link-local, RFC1918, cloud-metadata, and CGN ranges, re-validates the resolved IP on each redirect hop (max 3), drops Cookie and Authorization headers on cross-origin redirects, and enforces a 10-second timeout and 5 MB body cap.

Authentication

Authentication is handled by Supabase Auth with magic-link email codes. Session cookies are HttpOnly, Secure, and SameSite=Lax. Rate limits are applied per IP and per organization on sensitive endpoints.

Webhooks

Inbound webhooks (Paddle, WooCommerce) verify signatures in constant-time and are idempotent via a deduplication table keyed on (provider, external_id).

Backups & disaster recovery

Supabase performs daily backups with a 7-day point-in-time recovery window. We test restores monthly to a staging environment. RTO target: 1 hour. RPO target: 24 hours.

Vulnerability disclosure

Email security@storepack.app with the details. We acknowledge within 48 hours, triage within 5 business days, and credit researchers (with consent) in the changelog.

Compliance roadmap

StorePack is built on EU infrastructure and GDPR-aligned. SOC 2 Type 1 is on the roadmap for the second half of 2026.