Security

Your store's data never leaves your store.

Your store's data is yours alone. The database keeps every store isolated. No other shop can see your comps, costs, or margins.

Encrypted in transit and at rest
TLS 1.3 on every connection. AES-256 for data at rest in Postgres and object storage. Backups use separate encryption keys.
Your store is isolated in the database
Row-level security in Postgres ties every row to your store. A different store — or a stray query — cannot read your data. The API never returns what the database refuses to serve.
Least-privilege access
Engineering access to production requires SSO and hardware MFA, is time-limited, and is logged. There is no shared admin account.
Tested backups
Point-in-time recovery up to 7 days. We run monthly restore drills and track them in a runbook available to customers.
Audit logging
Sensitive account and data changes are logged with the actor, time, and IP address. Logs are kept for at least 12 months.
Responsible disclosure
Email security@slabbist.com. We acknowledge within one business day. Good-faith researchers are welcome — details below.

Reporting a vulnerability

Email security@slabbist.com with a description of what you found and how to reproduce it. If you need PGP, ask in your first message and we will send the key before you share any details.

We acknowledge within one business day and aim to triage within three. We do not run a paid bounty program, but we will publicly credit researchers who ask for it once a fix ships.

Safe harbor

Good-faith research on Slabbist production services is not a Terms violation. Good-faith means: no data taken beyond the minimum needed to prove the issue, no denial-of-service testing, no social engineering our staff, and no reading other users' data outside your own accounts.

Subprocessors and infrastructure

A current list is available on request. Key providers today: Supabase (Postgres and auth, US region), Cloudflare (edge network), Resend (transactional email), Sentry (crash reporting with PII redacted), Stripe and Persona (marketplace, planned).

Compliance roadmap

We are working toward SOC 2 Type I in 2026, followed by Type II after twelve months of production operations. GDPR and CCPA compliance is in place today. Customers with specific requirements can request a current security questionnaire response.