Trust & Security

Security at Vericog

Dealers trust Vericog with the operating data of businesses that move six and seven figures of inventory. Here is, concretely, how that data is protected.

Tenant isolation

Every record in Vericog is scoped to your account. Cross-tenant access is enforced at the query layer and covered by our automated test suite, including dedicated tests for cross-tenant access attempts.

Encryption

All traffic is TLS-encrypted in transit. Marketplace credentials — eBay tokens, Shopify access tokens — are encrypted at rest. API keys are never stored in plaintext: we keep only a SHA-256 hash, and the Shopify connector encrypts its stored credentials with AES-256-GCM.

Webhook integrity

Marketplace webhooks are HMAC-signature-verified — twice, independently, for Shopify traffic (once at the connector, again at our backend). Replayed deliveries are detected and processed exactly once. Requests are rate-limited per account.

Payments

Subscriptions are processed by Stripe. Card details go directly to Stripe and are never stored on Vericog's servers.

Privacy & GDPR

Our Shopify connector implements Shopify's mandatory privacy webhooks: customer data requests are surfaced for action, and redaction requests automatically anonymize the affected customer data. See our privacy policy for how we handle data generally.

Infrastructure

Application data lives in PostgreSQL; images are stored on Cloudflare R2. Account activity is logged in an audit trail visible in your settings.

What we're honest about

We don't yet hold formal certifications (SOC 2 / ISO 27001), and multi-factor authentication is on our near-term roadmap. If either is a requirement for your business, tell us — it moves the roadmap.

Security questions or reports

Email [email protected] — security reports are read first and answered fastest.