Security
Last updated: 2026-04-19. A summary of the controls we run today. Formal attestations (SOC 2, ISO 27001) are on the roadmap for post-GA.
Tenant isolation
Every tenant-scoped table in Kommercio carries tenant_id. Postgres Row-Level Security with a FORCE policy enforces isolation — even the table owner is subject to it. The application connects as a non-superuser role so the policies are always in effect. Each request runs inside a transaction that pins the tenant with SET LOCAL app.current_tenant_id. Cross-tenant reads are impossible by construction.
Identity & access
- Identity is handled by Clerk with JWT + JWKS verification on every request.
- Operator endpoints (
/platform/*) require a separate long-lived bearer, never a Clerk token. - Admin subdomain has stricter CSP and
X-Frame-Options: DENY.
Encryption
- TLS 1.3 everywhere — admin, storefront, and custom domains (via Caddy on-demand TLS).
- Encryption at rest on Postgres volumes and Cloudflare R2 backup bucket.
- No customer data written to disk in plaintext outside the primary database.
Webhooks
Inbound and outbound webhooks are HMAC-SHA256-signed over the raw body, with signatures in X-Signature-256. Two active secrets run in a 24-hour rotation window so receivers never reject in-flight messages during key roll. Inbound traffic is dedup'd on X-Idempotency-Key.
Backups
- Nightly
pg_dump -Fc, compressed with zstd. - 14 daily, 8 weekly, 12 monthly retention tiers.
- Offsite mirror to Cloudflare R2 after each nightly dump.
- Restore drills documented and runnable in under 30 minutes.
Observability
Prometheus metrics (IP-allowlisted scraper), structured JSON logs, and a live system status page. Every domain mutation that matters (order stage transitions, discount changes, webhook deliveries, agent runs) writes an audit log row.
Sub-processors
| Vendor | Purpose | Region |
|---|---|---|
| Clerk | Identity, SSO, JWT issuance | US (EU data-residency available) |
| DigitalOcean | Primary compute (droplet), block storage | London (LON1) |
| Cloudflare | Edge DNS, R2 offsite backups | Global (auto region for R2) |
| Stripe | Payment processing | Regional per merchant |
| Anthropic | AI Studio homepage generation | US |
| Postmark / SendGrid | Transactional email (planned) | EU / US |
Responsible disclosure
Found a vulnerability? Email security@kommercio.io. We respond within 2 working days. Please don't test against live merchant tenants — we'll provision a research tenant for you on request.
Draft stub for pre-GA. Will be superseded by an externally reviewed trust page with downloadable SOC 2 / ISO reports post-GA.