Security

Our Commitment

Storevana is built for merchants who trust us with their business and their customers’ data. Security is not an afterthought — it is foundational to everything we build.

Infrastructure

• Encryption in transit. All traffic between browsers, APIs, and databases is encrypted via TLS 1.2+.
• Encryption at rest. Database volumes and file storage use AES-256 encryption.
• Isolated environments. Staging and production run on separate infrastructure with independent databases and credentials.
• Automated backups. Database backups run on a regular schedule and are encrypted and stored off-site.

Application Security

• Multi-tenant isolation. Every database query is scoped to the current merchant via PostgreSQL Row-Level Security (RLS). One merchant’s data is never accessible to another.
• Authentication. We use JWT-based authentication with secure, HTTP-only cookies. Passwords are hashed with bcrypt.
• Role-based access control. Merchant team members are assigned granular roles (owner, admin, editor) that restrict what they can view and modify.
• Input validation. All API inputs are validated with strict schemas to prevent injection and malformed data.

Payment Security

Storevana never stores full credit card numbers. All payment processing is handled by PCI DSS Level 1 compliant providers:

• Stripe for international card payments.
• Razorpay for UPI, cards, and wallets in India.

Card details are tokenized by the payment provider before reaching our servers. We only store the last four digits and transaction identifiers for order tracking.

Access Controls

• SSH access to production servers is key-based only, with non-standard ports and fail2ban protection.
• Database access is restricted to application service accounts with least-privilege permissions.
• Admin panel access requires authenticated sessions with appropriate platform roles.

Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly. Email us at [email protected]. We take all reports seriously and will respond within 48 hours.

Continuous Improvement

Security is an ongoing process. We regularly review our infrastructure, dependencies, and practices. This page will be updated as our security posture evolves.