Security

HYGO Shop is built by HYGO Inc. on Cloudflare Workers, R2, Queues, and Hyperdrive. Every external integration is wrapped in an adapter; vendor SDKs do not appear in our consumer code. Every merchant's data is row-scoped at the database level via Postgres row-level security with loud-fail mode.

Encryption

Multi-tenant isolation

Authentication + authorization

Webhook + payment integrity

Provenance + audit

Vendor SDK boundary

No vendor SDK is imported outside its adapter package. The `pnpm lint:adapter-boundary` check fails CI if a Stripe / Shopify / Amazon / Ayrshare SDK leaks into consumer code. This means a compromised vendor library can't reach beyond its adapter — and switching providers is a configuration change, not a refactor.

Subprocessors

Full list at /subprocessors. Subprocessors are listed as markdown so updates are git-tracked and version-history is auditable.

SOC 2 + audits

SOC 2 Type II audit is in progress (engagement letter signed with our auditor; report expected late 2026). Until the audit report lands, our security posture is documented here and validated by our internal smoke + lint suites — every merge runs the full multi-tenant isolation test, the adapter-boundary lint, and the RLS smoke against staging Postgres.

Disclosure

Found a security issue? Email security@hygoshop.com. We acknowledge within 24 hours, triage within 3 business days, and disclose responsibly via coordinated release once a fix ships. We do NOT have a paid bug bounty program at this time — we acknowledge researchers in our security disclosure log (lives at /security/disclosures after the first disclosure).

Last updated: 2026-05-07