Security

All traffic to and from the application is encrypted using TLS 1.2 or higher. Data at rest in our managed Postgres database is encrypted at the storage layer by our infrastructure provider. Sensitive application-layer fields (for example, third-party API tokens such as Shopify access tokens) are additionally encrypted using AES-256-GCM with rotated keys before being written to the database.

The marketing site, embedded Shopify app, merchant portal, and all webhook endpoints are served only over HTTPS. HTTP requests are redirected. Cookies that carry session state are marked Secure and use the strictest SameSite attribute the embedded context allows.

Application hosting runs on Vercel; database, authentication, and private file storage run on Supabase. Both providers operate isolated tenant environments, automated patching, network-level firewalling, and DDoS protection. We rely on those providers' documented controls and revisit our choice of provider as our security posture matures.

Database access is governed by Supabase Row-Level Security policies that scope reads and writes to the owning shop. The embedded Shopify app, merchant portal, and internal admin panel each authenticate via independent paths (Shopify session token, Supabase Auth, Supabase Auth + an internal grants table). Cross- shop reads are blocked at the middleware layer by an explicit shop-identity guard.

Production database and infrastructure credentials are limited to the smallest set of operators required to run the service. Service-role credentials are never exposed to client code; only server-side runtimes hold them. Local development runs against a separate environment and never reads or writes production data.

Secrets are stored in the deployment platform's encrypted environment variable store and injected into the application at runtime. Secrets are never committed to source control; a machine-checked guard fails the build if a known secret pattern appears in tracked files. Secret rotation is performed when a provider notifies us of an incident, when a contributor with access leaves, or on a periodic schedule, whichever comes first.

The platform writes structured operational logs for every dispute synced, every evidence pack built, every Shopify mutation, and every webhook processed. Audit events record who (merchant, system, internal admin) took what action against which resource, with timestamps. Logs are retained alongside the dispute record they reference and are available to merchants inside the dispute timeline.

DisputeDesk subscribes to and handles Shopify's mandatory GDPR webhooks: customers/data_request, customers/redact, and shop/redact. Each handler verifies the HMAC signature on the request before taking any action. The redact handlers are idempotent — a redelivered webhook produces the same end state as a single delivery. See the Data Retention page for what each webhook does in detail.

We access Shopify data only inside stores where a merchant has installed our app and granted the documented OAuth scopes. We do not access Shopify data for stores where the app is not installed. We do not aggregate Shopify customer data across merchants. We do not sell customer data to anyone. We do not train AI models on customer data.

If we become aware of a security incident affecting merchant or customer data, we triage the impact, contain the cause, restore normal operation, and notify affected merchants without undue delay. Notice will include a description of what happened, what data was affected, what we have done in response, and what merchants should consider doing. We comply with applicable breach-notification laws.

If you believe you have found a security vulnerability in DisputeDesk, please report it to security@disputedesk.app. Please give us a reasonable opportunity to investigate and remediate before any public disclosure. We commit to:

• Acknowledging your report within five business days.
• Working with you in good faith to understand the issue and its impact.
• Not taking legal action against researchers who follow this process, act in good faith, and avoid privacy violations, destruction of data, or service disruption.

Security questions and vulnerability reports: security@disputedesk.app.