Encrypted by default, isolated per tenant, audited continuously. Here is exactly what we do — and what we are still working on.
TLS 1.3 across the public edge with HSTS preload. No service is exposed without HTTPS, including admin and webhook endpoints.
PostgreSQL volumes are encrypted with AES-256. Object storage buckets (Hetzner / S3) ship with server-side encryption on every PUT.
OAuth tokens and API credentials are stored in an AES-256-GCM vault keyed by an HKDF-derived subkey. The master key never leaves the orchestrator.
Each store runs in its own container set with its own database schema. One tenant cannot read another tenant’s data, even at the row level.
Stripe, Iyzico, and partner webhooks are verified with raw-body HMAC. We fail-closed when a secret is missing — we never silently accept unsigned input.
Google, GitHub, and Apple SSO available today. TOTP-based 2FA and enterprise SAML/SCIM on the 2026 roadmap.
We publish what is live, what we are aligned with, and what is on the roadmap. No green checkmarks for things we have not actually shipped.
Customer data is stored within EU regions; data-subject access and deletion requests are handled through the dashboard. DPA signed on request.
Cookie banner enforces consent before non-essential cookies fire. Subprocessor list is published below; right-to-erasure is processed promptly once verified.
Card data never touches Nuvi servers. Stripe and Iyzico handle PAN under their own PCI Level-1 scope — we operate as an out-of-scope merchant tool.
Targeted for late 2026. We are building out controls inventory and the policy library now; no audit has been completed yet.
Stage-1 readiness review planned after SOC 2 closes. Not currently certified.
Public domains and tenant subdomains run TLS 1.3-only with HSTS preload. Verifiable via Mozilla Observatory.
The boring stuff that actually matters. These describe how we work today, not contractual SLAs — written commitments are in your DPA / order form.
We do not run a paid bounty yet, but we credit responsible disclosure on this page. Please give us a reasonable window — typically 90 days — before public disclosure of any unfixed issue.
Email [email protected]We aim to respond to compliance questionnaires from real prospects within a few business days. Bring the toughest one your legal team has.