Trust center

Security and data handling

Cash Margin Partners protects boutique inventory, order, margin, billing, and account data with encryption, tenant isolation, signed integrations, and a direct security response path.

Contact security Review privacy policy

Data model

Tenant isolated

Boutique-scoped rows are protected with Postgres row-level security.

Payment data

Stripe hosted

Card numbers, CVCs, and bank account numbers do not reach CMP servers.

Webhooks

Signed and deduped

Shopify and Stripe deliveries are signature-verified before processing.

Security contact

< 24h target

We target acknowledgement of vulnerability reports within one day.

Controls

Designed for review before a store connects

These are the operational controls and boundaries we can describe publicly today. We keep the language concrete so an owner, CFO, or IT reviewer can quickly understand what is protected and what is not being claimed.

Protect

Data protection controls

Controls are designed around inventory, order, margin, billing, and operator data that a boutique would not want exposed to competitors.

Shopify access tokens are encrypted with AES-256-GCM before they are written to the database.
Plaintext access tokens are not written to application logs, error reports, or analytics events.
Browser, Shopify Admin API, Stripe API, and Supabase Postgres traffic uses TLS in transit.
Session cookies are flagged HttpOnly and Secure, and authentication records are managed through Supabase Auth.

Separate

Tenant isolation and access boundaries

Application access is constrained so one boutique's data is not available to another boutique during normal product use.

Every boutique-scoped table in the production Postgres schema uses row-level security.
Service-role access is reserved for server-side jobs and handlers that need controlled system-level access.
Demo organization data is explicitly tagged so prospect demos do not expose real customer records.
Feature entitlements are checked by organization, not by client-side UI state alone.

Verify

Webhook and integration integrity

Inbound integration traffic is checked before the application trusts or applies it.

Shopify webhooks are verified with HMAC-SHA256 over the raw request body before parsing.
Stripe webhooks are verified with Stripe's signed event helper and endpoint signing secret.
Webhook deliveries are deduplicated through idempotency records to reduce replay and retry risk.
Shopify data is pulled only after a store owner completes OAuth consent for the requested scopes.

Respond

Monitoring, response, and recovery

Operational telemetry is used to investigate reliability and security events without repurposing customer data for advertising.

Security logs, audit events, and error telemetry are retained for operational security and incident review.
Critical issues are triaged for mitigation, customer impact assessment, and direct customer updates when needed.
We publish a postmortem for incidents that expose customer data.
Confirmed vulnerability reports should go to security@cashmarginpartners.com.

Data lifecycle

How customer data moves through the product

Customer data is used to operate the diagnostic, support the account, bill the subscription, and maintain security. It is not sold or repurposed for advertising.

Connect

A store owner authorizes Shopify access through OAuth and the requested scopes. We do not pull store data before consent.

Process

Inventory and order history are used to classify SKUs, generate reports, create action plans, and power weekly alerts.

Retain

Reports, classifier output, action plans, billing metadata, security logs, and account records are retained while needed for product, security, billing, or legal obligations.

Delete

Account deletion requests are completed within 30 days, subject to billing, security, tax, dispute, and backup-retention obligations.

Boundaries

Plain statements about what we do not do

Trust pages are only useful when they separate real controls from marketing language. These are explicit limits on how we handle customer data and compliance claims.

We do not sell Business Data or Personal Information. Anonymized Data is governed by the Privacy Policy.
We do not share customer data with ad networks or data brokers.
We do not run third-party advertising trackers on the marketing site or the product.
We do not store credit card numbers; Stripe hosts Checkout and the Customer Portal.
We do not claim SOC 2, ISO 27001, HIPAA, or PCI certification for Cash Margin Partners on this page.

Response and requests

Need a security review, incident report path, or data request?

Report vulnerabilities and suspected incidents through the security mailbox. For exports, deletions, privacy questions, or customer account requests, use the general support mailbox so we can verify the requester before releasing or changing account data.

Security reportssecurity@cashmarginpartners.com Data and account requestsprivacy@CashMarginPartners.com

Trust center

Security and data handling

Cash Margin Partners protects boutique inventory, order, margin, billing, and account data with encryption, tenant isolation, signed integrations, and a direct security response path.

Contact security Review privacy policy

Data model

Tenant isolated

Boutique-scoped rows are protected with Postgres row-level security.

Payment data

Stripe hosted

Card numbers, CVCs, and bank account numbers do not reach CMP servers.

Webhooks

Signed and deduped

Shopify and Stripe deliveries are signature-verified before processing.

Security contact

< 24h target

We target acknowledgement of vulnerability reports within one day.

Controls

Designed for review before a store connects

Protect

Data protection controls

Controls are designed around inventory, order, margin, billing, and operator data that a boutique would not want exposed to competitors.

Shopify access tokens are encrypted with AES-256-GCM before they are written to the database.
Plaintext access tokens are not written to application logs, error reports, or analytics events.
Browser, Shopify Admin API, Stripe API, and Supabase Postgres traffic uses TLS in transit.
Session cookies are flagged HttpOnly and Secure, and authentication records are managed through Supabase Auth.

Separate

Tenant isolation and access boundaries

Application access is constrained so one boutique's data is not available to another boutique during normal product use.

Every boutique-scoped table in the production Postgres schema uses row-level security.
Service-role access is reserved for server-side jobs and handlers that need controlled system-level access.
Demo organization data is explicitly tagged so prospect demos do not expose real customer records.
Feature entitlements are checked by organization, not by client-side UI state alone.

Verify

Webhook and integration integrity

Inbound integration traffic is checked before the application trusts or applies it.

Shopify webhooks are verified with HMAC-SHA256 over the raw request body before parsing.
Stripe webhooks are verified with Stripe's signed event helper and endpoint signing secret.
Webhook deliveries are deduplicated through idempotency records to reduce replay and retry risk.
Shopify data is pulled only after a store owner completes OAuth consent for the requested scopes.

Respond

Monitoring, response, and recovery

Operational telemetry is used to investigate reliability and security events without repurposing customer data for advertising.

Security logs, audit events, and error telemetry are retained for operational security and incident review.
Critical issues are triaged for mitigation, customer impact assessment, and direct customer updates when needed.
We publish a postmortem for incidents that expose customer data.
Confirmed vulnerability reports should go to security@cashmarginpartners.com.

Data lifecycle

How customer data moves through the product

Customer data is used to operate the diagnostic, support the account, bill the subscription, and maintain security. It is not sold or repurposed for advertising.

Connect

A store owner authorizes Shopify access through OAuth and the requested scopes. We do not pull store data before consent.

Process

Inventory and order history are used to classify SKUs, generate reports, create action plans, and power weekly alerts.

Retain

Reports, classifier output, action plans, billing metadata, security logs, and account records are retained while needed for product, security, billing, or legal obligations.

Delete

Account deletion requests are completed within 30 days, subject to billing, security, tax, dispute, and backup-retention obligations.

Boundaries

Plain statements about what we do not do

Trust pages are only useful when they separate real controls from marketing language. These are explicit limits on how we handle customer data and compliance claims.

We do not sell Business Data or Personal Information. Anonymized Data is governed by the Privacy Policy.
We do not share customer data with ad networks or data brokers.
We do not run third-party advertising trackers on the marketing site or the product.
We do not store credit card numbers; Stripe hosts Checkout and the Customer Portal.
We do not claim SOC 2, ISO 27001, HIPAA, or PCI certification for Cash Margin Partners on this page.

Response and requests

Need a security review, incident report path, or data request?

Security reportssecurity@cashmarginpartners.com Data and account requestsprivacy@CashMarginPartners.com