What we store, who can access it, and how to report vulnerabilities.
We keep our attack surface small: we use only public Shopify App Store data and never touch your Shopify Partners credentials. Authentication runs through Better Auth. Subprocessors are listed below, and security reports go to a monitored inbox.
Our security decisions
Public data only
We use only public Shopify App Store data. We never store or transmit your Shopify Partners credentials.
Email/password or Google sign-in
Better Auth + Drizzle. Email/password with mandatory verification and secure reset, or Google OAuth scoped to email and profile. Passwords are hashed by Better Auth. We never roll our own crypto.
Encrypted at rest
Postgres 16 on Railway, encrypted by the platform. Redis (BullMQ) holds short-lived jobs only.
Encrypted in transit
HTTPS-only domain. HSTS preload submission planned post-launch. No HTTP fallback.
Minimal subprocessors
Stripe (billing), Resend (email), OpenRouter (AI Visibility), Sentry (errors), an infrastructure provider (data delivery), Railway (hosting), Cloudflare R2 (storage). The full list is below.
Logged & monitored
Pino structured logs everywhere. Sentry on every deployable. Health endpoints on web + workers, paged on failure.
If you find something, write us
We credit reporters publicly once a fix ships. Good-faith security research is welcome and won’t result in legal action.
Send a description, repro steps, and the impact. We confirm receipt within one working day.
security@asomify.comSubprocessor list
Every third party that touches data, what they do, and what they see. The full DPA carries the contractual detail.
| Subprocessor | Purpose | Data it touches |
|---|---|---|
| Stripe | Billing & payments | Email, payment details |
| Resend | Transactional email | Email address, send events |
| OpenRouter | AI Visibility queries | Category prompts — no customer data |
| Sentry | Error monitoring | Error & diagnostic metadata |
| Railway | Hosting & database | All application data at rest |
| Cloudflare R2 | Object storage | Listing snapshots & assets |
| Infrastructure provider | Public-data delivery | Public store data only |
Need a custom DPA or BAA?
Send a redline. We reply with comments inside two working days.