Safe, secure,
and private.
We hold OAuth tokens to your Shopify, ad accounts and email tools. We take that seriously. Here's exactly how those credentials, and the data they unlock, are protected.
Six layers, none of them optional.
Each layer is a separate control. Each card opens for the technical detail your IT lead will ask about.
Encrypted at rest, in transit, and at the key level.
Every OAuth token and third-party credential is wrapped with AES-256-GCM before it touches the database. Connections run over TLS 1.2+ only. Keys rotate without downtime.
Token wrapping uses AES-256-GCM with per-row encryption — Shopify, Meta, TikTok, Google, Pinterest, Klaviyo and every other integration credential is encrypted before it is persisted, and never logged in plaintext.
Network traffic is TLS 1.2+ end-to-end with HSTS preload, including database connections and internal service-to-service calls. Plain HTTP is refused.
Encryption keys are managed via a dual-key scheme (ENCRYPTION_KEY + ENCRYPTION_KEY_PREVIOUS) so rotation happens without taking the app offline. A rotation script re-wraps existing rows in the background.
Your data, fenced off at the database.
Briezo runs on Postgres with row-level security policies enforcing per-store and per-user boundaries. Production refuses to run a query without an authenticated context.
Every tenant-bearing table has a Postgres RLS policy that filters on the request-scopedapp.user_id / app.store_id session variables. A Prisma client extension sets these on each request, and production refuses to execute any query without them.
Application-level WHERE userId = … filters are the first gate; RLS is the defense-in-depth that catches anything that slips past — including ad-hoc queries from internal tools.
Sessions you can revoke. Passwords we never see.
Authentication runs on NextAuth with hashed credentials, secure HTTP-only cookies, and one-click session revocation. OAuth state tokens use timing-safe comparisons.
Passwords are stored as salted bcrypt hashes — we never see the plaintext at any point, and our database backups would be unreadable to anyone who accessed them. Forgot-password flows use single-use, time-bounded tokens.
Sessions live in HTTP-only, Secure, SameSite cookies. You can revoke any active session from Settings → Security at any time. OAuth callback state is verified with a constant-time comparison to prevent state-fixation attacks.
Admin endpoints are rate-limited, audit-logged, and gated behind an internal allow-list. Failed logins, password resets and rate-limit hits are recorded for forensic review.
Hosted on managed, hardened platforms.
Compute, Postgres, and Redis are managed by Railway with nightly backups and point-in-time recovery. The marketing site sits behind a CDN with strict headers.
Postgres, Redis and application containers run on Railway with automated nightly backups and point-in-time recovery within the retention window. We don't self-host anything we don't have to.
The marketing site and dashboard sit behind a CDN with HSTS preload, a strict Content-Security-Policy, X-Frame-Options DENY, X-Content-Type-Options nosniff, and Referrer-Policy strict-origin-when-cross-origin.
Sub-processors (Anthropic, Stripe, Postmark, Railway, Cloudflare) and their roles are enumerated in the DPA.
GDPR, CCPA, and Australian Privacy Act ready.
We process data as a Processor under GDPR Article 28. You can export or delete every byte we hold. We don't train AI models on your customer data. We don't sell it.
Briezo acts as a Data Processor under GDPR Article 28 for the Merchant data we store on your behalf. Our Data Processing Agreement is published in full — no “contact sales” gate.
Every byte we hold about your store can be exported or deleted from the dashboard, or by email request, in line with GDPR, CCPA / CPRA, and the Australian Privacy Principles.
We do not use your customer data to train, fine-tune, or improve AI models — ours, Anthropic's, or any other third party's. Inference traffic to the Anthropic API is governed by their no-training data-use policy.
Errors and anomalies, watched continuously.
Sentry tracks every server error with PII scrubbing. Structured logs flow into a queryable pipeline. Failed logins, rate limits, and admin actions are recorded.
Sentry captures server errors with PII scrubbing on the way in, so we can debug regressions without seeing customer identifiers. Source-mapped stack traces speed up triage.
Application logs are structured (JSON), shipped off-host, and queryable — failed logins, rate-limit hits, OAuth callbacks, billing events and admin actions are all indexed and retained.
Health probes monitor every cron and integration job; alerts page on-call when the dashboard, queue depth or sync freshness drift outside their thresholds.
For the security-curious. Or your IT lead.
Forward this page to procurement. Everything they need is here.
We're building to SOC 2 Type II controls. We're not attested yet.
SOC 2 is an attestation, not a certificate — an independent auditor confirms that your security controls operated effectively over an observation window. We're designing every control on this page to that bar, but until an auditor has signed the report, we won't claim it.
Need answers sooner? Request a security review below — we'll share our current control matrix, sub-processor list, and incident response policy under NDA.
Request a security review.
For prospects with security or procurement requirements, we'll share our control matrix, sub-processor list, and incident response policy under NDA. One business-day turnaround.
Found a vulnerability?
Email security@briezo.com with a description and proof of concept. We acknowledge every report within one business day, fix verified issues in priority order, and credit you publicly if you'd like.