Security

Last updated: March 23, 2026

# Security Policy


EshopListing / Two Wolves

Last updated: March 23, 2026


---


## 1. Our Security Commitment


EshopListing is built on the principle that merchants trust us with access to their store infrastructure and product data. We treat that trust as a core responsibility. This document describes the technical and organizational measures we implement to protect your data and maintain service integrity.


---


## 2. Infrastructure Security


### Hosting & Network


- Vercel Edge Network — all production workloads are deployed on Vercel's globally distributed edge infrastructure with automatic DDoS mitigation, WAF (Web Application Firewall), and anycast routing.

- HTTPS everywhere — all data in transit is encrypted using TLS 1.3. HTTP connections are automatically redirected to HTTPS. HSTS is enforced with a max-age of 63,072,000 seconds (two years).

- No shared infrastructure — each deployment is isolated. We do not run multi-tenant database clusters on shared VMs.


### Database


- Convex (EU West region) — our primary database runs on Convex's managed infrastructure, hosted in the EU West region (Dublin, Ireland). Convex provides automatic backups, point-in-time recovery, encryption at rest (AES-256), and row-level security.

- Encryption at rest — all stored data, including product catalogs, API keys (hashed), and account records, is encrypted at rest.

- Encryption in transit — all connections between our application layer and the database use TLS-encrypted channels.


### Backups


- Automatic daily snapshots retained for 30 days.

- Point-in-time recovery available up to 7 days.

- Backup integrity is verified automatically after each snapshot.


---


## 3. Application Security


### Authentication


- User authentication is handled via Convex Auth supporting Google OAuth 2.0 and email/password flows.

- Passwords are hashed using bcrypt with a minimum cost factor of 12. Raw passwords are never stored or logged.

- Google OAuth tokens are validated server-side against Google's public key infrastructure on every request.

- Session tokens are short-lived, signed, and invalidated on logout.


### API Keys


- API keys are generated using a cryptographically secure random number generator (CSPRNG).

- Raw keys are displayed only once at creation time and are never recoverable.

- Stored keys are hashed using SHA-256 with a unique salt per key. Only the hash is stored.

- Keys can be revoked instantly via the Dashboard. Revocation takes effect within 60 seconds across all edge nodes.


### HTTP Security Headers


All responses from EshopListing include the following security headers:


| Header | Value |

|--------|-------|

| Strict-Transport-Security | max-age=63072000; includeSubDomains; preload |

| X-Content-Type-Options | nosniff |

| X-Frame-Options | DENY |

| Referrer-Policy | strict-origin-when-cross-origin |

| Permissions-Policy | camera=(), microphone=(), geolocation=() |

| Content-Security-Policy | Configured per environment |


### Rate Limiting


- All public API endpoints enforce per-IP rate limits.

- Authentication endpoints enforce stricter limits with exponential backoff after failed attempts.

- Scan endpoints are rate-limited per account tier to prevent abuse.

- Rate limit violations are logged and monitored for abuse patterns.


### Input Validation & Sanitization


- All user inputs are validated server-side using strict schema validation before processing.

- Domain inputs are normalized and validated against RFC 3986.

- Product data from external stores is sanitized before indexing to prevent injection into AI-readable outputs.

- SQL injection, XSS, and SSRF protections are implemented at the application layer.


### Access Controls


- Role-based access control (RBAC) — admin routes are separated from merchant routes and protected by role verification middleware.

- Admin endpoints are excluded from search engine indexing via robots.txt and X-Robots-Tag headers.

- Least-privilege principle: internal services only have access to the data they require.

- All administrative actions are logged with actor, timestamp, and action details.


---


## 4. Payment Security


All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor — the highest level of payment security certification.


- EshopListing never stores, processes, or transmits cardholder data on our servers.

- Payment forms load directly from Stripe's servers (Stripe Elements / Stripe Checkout).

- Stripe webhook events are verified using HMAC-SHA256 signatures to prevent spoofing.

- Subscription management (upgrades, downgrades, cancellations) is handled through Stripe's billing infrastructure.


---


## 5. Blockchain Verification Security


Business and Protocol Scale plan subscribers receive a Solana compressed NFT (cNFT) as a tamper-proof trust certificate.


- cNFTs are minted on the Solana mainnet using compressed state trees (Metaplex Bubblegum protocol).

- Certificates contain only: store domain, verification timestamp, and trust score — no personal information is written to the blockchain.

- Once minted, records are permanent and cannot be altered or deleted — this is the intended security property.

- The private keys used for minting are stored in a hardware security module (HSM) environment and are not accessible to application-layer code.


---


## 6. Operational Security


### Employee Access


- Access to production systems is limited to authorized engineers on a need-to-know basis.

- All production access requires MFA (multi-factor authentication).

- Access privileges are reviewed quarterly and revoked immediately upon role change or termination.

- No employee has standing access to raw customer data; access requires an approved request with audit logging.


### Development Practices


- Code changes undergo peer review before merging to production.

- Secrets (API keys, credentials) are stored in environment variable management systems, never in source code.

- Dependency scanning is run on every build to detect known vulnerabilities in third-party packages.

- Production deployments are automated and immutable — no manual SSH access to production servers.


### Logging & Monitoring


- All API requests, authentication events, and administrative actions are logged with full context.

- Anomaly detection alerts are configured for unusual access patterns, error spikes, and authentication failures.

- Logs are retained for 90 days and stored separately from production data.


---


## 7. Incident Response


In the event of a confirmed security incident:


1. Detection — automated monitoring alerts the security team within minutes of anomalous activity.

2. Containment — affected systems are isolated to prevent further exposure.

3. Assessment — scope, impact, and affected accounts are determined.

4. Notification — if personal data is involved, affected users and the Lithuanian State Data Protection Inspectorate (VDAI) are notified within 72 hours of discovery, as required by GDPR Article 33/34.

5. Remediation — root cause is addressed, fix is deployed, and controls are updated.

6. Post-mortem — a written incident report is prepared internally, and relevant findings are communicated to affected users.


---


## 8. Vulnerability Disclosure (Responsible Disclosure)


We welcome reports from security researchers.


Contact: hello@eshoplisting.com

Subject line: [SECURITY] Vulnerability Report


Our commitments:

- We will acknowledge your report within 48 hours.

- We will provide a status update within 7 business days.

- We will not pursue legal action against researchers acting in good faith who follow responsible disclosure practices.

- We ask that you not access, modify, or exfiltrate data beyond what is necessary to demonstrate the vulnerability.

- We ask that you give us a reasonable remediation window (minimum 30 days) before public disclosure.


Please include in your report: affected URL/endpoint, steps to reproduce, potential impact, and any proof-of-concept (without actually exploiting the vulnerability against real user data).


---


## 9. Third-Party Security


| Provider | Purpose | Security Certification |

|----------|---------|----------------------|

| Vercel | Hosting & edge | SOC 2 Type II |

| Convex | Database | SOC 2 Type II |

| Stripe | Payments | PCI DSS Level 1 |

| Google | OAuth | ISO 27001, SOC 2 |


We conduct periodic reviews of our third-party providers' security posture. We only share data with third parties as described in our Privacy Policy.


---


## 10. GDPR & Data Protection Compliance


EshopListing operates from Lithuania, European Union, and processes personal data in compliance with GDPR (Regulation (EU) 2016/679).


- We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities.

- We maintain records of processing activities as required by Article 30 GDPR.

- Our primary legal basis for processing merchant data is Article 6(1)(b) (performance of a contract) and Article 6(1)(f) (legitimate interests) for security and analytics.

- International data transfers (e.g., to Stripe in the US) are covered by Standard Contractual Clauses (SCCs) approved by the European Commission.


---


## 11. Contact


For security-related inquiries: hello@eshoplisting.com


For data protection matters: hello@eshoplisting.com (attn: Data Protection)


Supervisory Authority: Lithuanian State Data Protection Inspectorate (VDAI)

Website: [vdai.lrv.lt](https://vdai.lrv.lt)