Security

Our Security Commitment

At Ship-ify, security is fundamental to everything we build. We understand that you trust us with your business data, and we take that responsibility seriously. Our platform is designed with security at its core, implementing industry best practices to protect your data at every layer.

All data transmitted to and from Ship-ify is protected using industry-standard encryption:

• In Transit: All API communications use TLS 1.3 encryption, ensuring your data is protected during transmission
• At Rest: Sensitive data stored in our databases is encrypted using AES-256 encryption
• API Keys: Your API keys are hashed using bcrypt before storage - we never store plain-text keys
• Passwords: User passwords are salted and hashed using bcrypt with appropriate work factors

Your API keys are critical credentials that control access to your account:

• Unique Keys: Each API key is cryptographically generated using secure random number generators
• Granular Permissions: Configure per-key algorithm restrictions and usage limits
• Instant Revocation: Revoke compromised keys immediately from your dashboard
• Usage Tracking: Monitor all API key activity with detailed logging
• Rate Limiting: Built-in rate limiting protects against abuse and brute-force attacks

Our infrastructure is built on modern cloud platforms with enterprise-grade security:

• Cloud Hosting: Deployed on secure cloud infrastructure with automated security patching
• Database Security: PostgreSQL databases hosted on Neon with automatic backups and point-in-time recovery
• Network Isolation: Services run in isolated environments with strict network access controls
• DDoS Protection: Built-in protection against distributed denial-of-service attacks
• Monitoring: 24/7 infrastructure monitoring with automated alerting for anomalies

We implement robust authentication mechanisms to protect your account:

• OAuth Integration: Sign in securely with Google or GitHub using industry-standard OAuth 2.0
• Session Management: Secure session handling with automatic expiration and refresh tokens
• CSRF Protection: Cross-site request forgery protection on all authenticated endpoints
• Secure Cookies: HTTP-only, secure cookies with SameSite attributes

Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor:

• We never store, process, or transmit credit card numbers on our servers
• All payment data is handled directly by Stripe's secure infrastructure
• Subscription management and billing uses Stripe's secure customer portal

Data Retention & Deletion

We maintain clear policies around data retention:

• API Request Data: We do not permanently store the contents of your API requests. Request data is processed in memory and discarded after returning results.
• Usage Logs: Aggregated usage statistics are retained for billing and analytics purposes
• Account Deletion: Upon account deletion, all associated data is permanently removed within 30 days
• Box Set Data: Custom box configurations are stored until you delete them or close your account

Vulnerability Reporting

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please contact us at security@ship-ify.com. We commit to:

• Acknowledge receipt of your report within 48 hours
• Provide an initial assessment within 5 business days
• Keep you informed of our remediation progress
• Not pursue legal action against good-faith security researchers

Security Best Practices for Users

Help us keep your account secure by following these recommendations:

• Use a strong, unique password for your Ship-ify account
• Enable OAuth sign-in with Google or GitHub for added security
• Store API keys securely using environment variables or secrets managers
• Regularly rotate your API keys, especially after team member changes
• Monitor your usage dashboard for unexpected activity
• Revoke unused API keys promptly