Security
HYGO Shop is built by HYGO Inc. on Cloudflare Workers, R2, Queues, and Hyperdrive. Every external integration is wrapped in an adapter; vendor SDKs do not appear in our consumer code. Every merchant's data is row-scoped at the database level via Postgres row-level security with loud-fail mode.
Encryption
- In transit — TLS 1.3 end-to-end via Cloudflare. HTTP/3 enabled. HSTS preloaded.
- At rest — Postgres on encrypted volumes (Cloudflare-Tunneled droplet OR Neon's managed encryption). R2 storage AES-256 by default. Backup volumes encrypted on rest before R2 upload.
- Secrets — Cloudflare Secret Bindings for production credentials (Stripe, Shopify, Ayrshare, etc.). No secrets ever live in the code repo.
Multi-tenant isolation
- Shared tier (Start, Connect, Augment) — Postgres row-level security on every canonical table. RLS uses
current_setting('app.merchant_id', false)in loud-fail mode: a query without merchant context raises an error, never silently returns zero rows. - Isolated schema (Migrate) — dedicated Postgres schema per merchant. Merchant-id-scoped queries become schema-scoped queries; cross-tenant access is impossible at the DB level.
- Isolated database (Migrate, optional) — dedicated Postgres database. For merchants with regulatory residency requirements.
- Verification — every deploy runs an RLS smoke script that asserts loud-fail mode is active and cross-tenant queries return zero rows. Deploy halts on smoke failure.
Authentication + authorization
- SuperTokens — session management, MFA-capable. Operator + merchant identities both flow through SuperTokens.
- Per-domain auth-introspect — HYGO Shop's worker forwards each request's session cookie to a verifier service. KV-cached for 60 seconds, fail-closed on any verification error.
- Role-based access — admin, merchant, operator. Routes are scoped by role; admin-only routes (e.g. operator invitation) reject non-admin sessions with 403.
- Operator invite-only onboarding — Phase J ships invite-only signup with token expiry + redemption tracking.
Operator.invitedByis stamped at creation for full audit lineage.
Webhook + payment integrity
- HMAC-SHA256 verification on every webhook (Shopify, Ayrshare, Stripe, EasyPost). Hex- or base64-encoded depending on provider.
- Constant-time comparison on every signature check.
- Delivery dedup — every webhook has its delivery id stored after first acknowledge. Replays return 200 + dedup-flag without re-running side effects.
- Stripe Connect escrow — operator payouts hold in escrow until task completion. Released-but-unpaid state is retryable; failed payouts never auto-revert (payments are forward-only after release).
Provenance + audit
- Generated-content provenance — every ContentAsset stores model id, version, prompt hash, source product references, generation timestamp, and (when applicable) the operator who reviewed it. You can audit which model wrote any post you publish.
- Cost attribution — every external model call is tagged with merchant id, campaign id, and intent template id. Per-merchant inference cost is queryable.
- Operator task audit — task lifecycle events (open → claimed → completed | escalated) recorded with operator id and timestamps. Escrow events similarly logged.
Vendor SDK boundary
No vendor SDK is imported outside its adapter package. The `pnpm lint:adapter-boundary` check fails CI if a Stripe / Shopify / Amazon / Ayrshare SDK leaks into consumer code. This means a compromised vendor library can't reach beyond its adapter — and switching providers is a configuration change, not a refactor.
Subprocessors
Full list at /subprocessors. Subprocessors are listed as markdown so updates are git-tracked and version-history is auditable.
SOC 2 + audits
SOC 2 Type II audit is in progress (engagement letter signed with our auditor; report expected late 2026). Until the audit report lands, our security posture is documented here and validated by our internal smoke + lint suites — every merge runs the full multi-tenant isolation test, the adapter-boundary lint, and the RLS smoke against staging Postgres.
Disclosure
Found a security issue? Email security@hygoshop.com. We acknowledge within 24 hours, triage within 3 business days, and disclose responsibly via coordinated release once a fix ships. We do NOT have a paid bug bounty program at this time — we acknowledge researchers in our security disclosure log (lives at /security/disclosures after the first disclosure).
Last updated: 2026-05-07
HYGO Shop