Security Policy

This policy expands on our security overview.

Tenant isolation

All shop-scoped tables enforce row-level security. Cross-tenant access paths are covered by automated two-shop isolation tests that run on every release. Privileged operations go through service-role RPCs only.

Authentication & authorization

Magic-link primary with password fallback, anti-enumeration on login, and a 5-attempt lockout. Operator access is gated by a role × module × verb (CRUDE) matrix.

Encryption

TLS 1.3 in transit; Postgres-level encryption at rest. We do not use weak ciphers.

AI safety

Per-merchant cost caps, output validation, confidence scoring, and prompt-injection defenses. AI never receives raw customer PII.

Audit logging

Every grant, role change, and cap modification is logged with actor and timestamp.

Responsible disclosure

Report vulnerabilities to security@cipzo.com. We acknowledge within 24 hours and do not pursue legal action against good-faith disclosure.

Certifications

Cipzo is not yet SOC 2 or ISO 27001 certified. We are evaluating these as we scale and will not claim certifications we do not hold.