Security at Vericog
Dealers trust Vericog with the operating data of businesses that move six and seven figures of inventory. Here is, concretely, how that data is protected.
Tenant isolation
Every record in Vericog is scoped to your account. Cross-tenant access is enforced at the query layer and covered by our automated test suite, including dedicated tests for cross-tenant access attempts.
Encryption
All traffic is TLS-encrypted in transit. Marketplace credentials — eBay tokens, Shopify access tokens — are encrypted at rest. API keys are never stored in plaintext: we keep only a SHA-256 hash, and the Shopify connector encrypts its stored credentials with AES-256-GCM.
Webhook integrity
Marketplace webhooks are HMAC-signature-verified — twice, independently, for Shopify traffic (once at the connector, again at our backend). Replayed deliveries are detected and processed exactly once. Requests are rate-limited per account.
Payments
Subscriptions are processed by Stripe. Card details go directly to Stripe and are never stored on Vericog's servers.
Privacy & GDPR
Our Shopify connector implements Shopify's mandatory privacy webhooks: customer data requests are surfaced for action, and redaction requests automatically anonymize the affected customer data. See our privacy policy for how we handle data generally.
Infrastructure
Application data lives in PostgreSQL; images are stored on Cloudflare R2. Account activity is logged in an audit trail visible in your settings.
What we're honest about
We don't yet hold formal certifications (SOC 2 / ISO 27001), and multi-factor authentication is on our near-term roadmap. If either is a requirement for your business, tell us — it moves the roadmap.
Security questions or reports
Email [email protected] — security reports are read first and answered fastest.