Built for stores you can sleep through.
Encrypted by default, isolated per tenant, audited continuously. Here is exactly what we do — and what we are still working on.
How your data is protected
Encryption in transit
TLS 1.3 across the public edge with HSTS preload. No service is exposed without HTTPS, including admin and webhook endpoints.
Encryption at rest
PostgreSQL volumes are encrypted with AES-256. Object storage buckets (Hetzner / S3) ship with server-side encryption on every PUT.
Secret vault
OAuth tokens and API credentials are stored in an AES-256-GCM vault keyed by an HKDF-derived subkey. The master key never leaves the orchestrator.
Per-tenant isolation
Each store runs in its own container set with its own database schema. One tenant cannot read another tenant’s data, even at the row level.
Webhook signing
Stripe, Iyzico, and partner webhooks are verified with raw-body HMAC. We fail-closed when a secret is missing — we never silently accept unsigned input.
SSO & 2FA
Google, GitHub, and Apple SSO available today. TOTP-based 2FA and enterprise SAML/SCIM on the 2026 roadmap.
Compliance status
We publish what is live, what we are aligned with, and what is on the roadmap. No green checkmarks for things we have not actually shipped.
KVKK (Türkiye)
Customer data is stored within EU regions; data-subject access and deletion requests are handled through the dashboard. DPA signed on request.
GDPR (EU)
Cookie banner enforces consent before non-essential cookies fire. Subprocessor list is published below; right-to-erasure is processed promptly once verified.
PCI DSS scope
Card data never touches Nuvi servers. Stripe and Iyzico handle PAN under their own PCI Level-1 scope — we operate as an out-of-scope merchant tool.
SOC 2 Type I
Targeted for late 2026. We are building out controls inventory and the policy library now; no audit has been completed yet.
ISO 27001
Stage-1 readiness review planned after SOC 2 closes. Not currently certified.
TLS 1.3 + HSTS preload
Public domains and tenant subdomains run TLS 1.3-only with HSTS preload. Verifiable via Mozilla Observatory.
Operational practices
The boring stuff that actually matters. These describe how we work today, not contractual SLAs — written commitments are in your DPA / order form.
- Automated PostgreSQL backups run daily with timestamped snapshots; retention is the same on every plan.
- All production writes pass through migration-reviewed code paths. Schema migrations run with version tags and a rollback script.
- Least-privilege access: engineers reach production data only through a logged break-glass tool. No shared admin accounts.
- Dependency scanning on every commit. We aim to patch critical CVEs as quickly as possible — typically within days, with the actual window depending on the upstream advisory.
- Container images are pinned by digest. Production deploys are reproducible from a tagged GHCR image.
- Incident postmortems are written for any customer-impacting event and shared internally with action items.
Report a vulnerability
We do not run a paid bounty yet, but we credit responsible disclosure on this page. Please give us a reasonable window — typically 90 days — before public disclosure of any unfixed issue.
Email [email protected]Need a DPA, a subprocessor list, or to talk to engineering?
We aim to respond to compliance questionnaires from real prospects within a few business days. Bring the toughest one your legal team has.