Security

Last updated: 2026-05-12

SeedPeep handles data from Shopify stores and public TikTok profiles on behalf of our merchants. We take that responsibility seriously. This page summarises the technical and organisational controls we have in place. For questions or to report a security issue, email [email protected].

1. Hosting and infrastructure

• Hosting provider: Railway, hosted in the United States. Railway maintains SOC 2 Type II compliance and operates on top of major US cloud providers.
• Tenant isolation: Our application runs in isolated containers with no shared compute or storage with other Railway tenants.
• Database: PostgreSQL, Railway-managed, US-region, encrypted at rest. The database has no public ingress; it is reachable only from our application servers over TLS.
• Backups: Daily automated backups managed by Railway, encrypted and retained in the same region.

2. Data in transit and at rest

• In transit: TLS 1.2+ for all connections — browser to application, application to database, application to third-party APIs. HTTP Strict Transport Security is enforced on production domains.
• At rest: Database storage is encrypted at the disk level by our infrastructure provider. Sensitive credentials (Shopify access tokens, refresh tokens) are stored in the database alongside application data and inherit the same encryption-at-rest protection.
• Secrets management: API keys, OAuth secrets, and signing keys are stored as Railway environment variables, never committed to source control, and never written to application logs.

3. Authentication and access control

• Merchant authentication: Email/password, Google OAuth, or Shopify OAuth via Better Auth. Sessions are HttpOnly, SameSite=Lax cookies signed with HMAC-SHA256.
• Password storage: Hashed using bcrypt (handled by Better Auth). We never see or store passwords in plaintext.
• Authorisation: Every merchant's data is scoped to their organisation. Cross-organisation data access is impossible at the query layer — all loaders and actions require an authenticated session with an active organisation membership.
• Admin access: An internal admin panel exists for customer support and operational visibility. Admin access is gated by an explicit isAdmin flag on the user record that can only be granted via direct database operation — no application code path grants admin privileges. Admin actions are logged.
• Production access: Production infrastructure (Railway, GitHub, Resend, Anthropic, domain registrar) is accessed only by named personnel with multi-factor authentication enabled on every service.

4. Workstation and operational security

• Workstations run macOS with full-disk encryption (FileVault) and built-in malware protection (XProtect, Gatekeeper, System Integrity Protection).
• Screen lock is enforced after a short idle timeout. Credentials are stored in a password manager; no shared accounts.
• Multi-factor authentication is required on every production service we use.
• Software updates are applied promptly on both workstations and production dependencies.

5. Application and dependency security

• All code changes go through pull request review before merging to the production branch. CI runs type-checking and tests on every change.
• Dependency vulnerabilities are monitored continuously via GitHub Dependabot with automated security updates. npm audit is run before each production deployment.
• We follow secure coding practices to defend against the OWASP Top 10: parameterised queries via Prisma (no raw SQL concatenation), CSRF-protected forms, input validation on user-controlled data, output escaping in HTML, and origin checks on authentication endpoints.

6. Third-party processors

We share data with a small set of third-party processors strictly as needed to operate the service. Each processor is bound by their own security and privacy commitments:

• Railway — application hosting and database. US-region.
• Resend — transactional email delivery (account emails, creator pitch emails, system notifications).
• Anthropic — AI-drafted creator pitch content. Receives public creator bio/caption data and merchant product names. Does not receive Shopify access tokens, TikTok Shop Partners API data, or merchant PII.
• TikAPI — TikTok creator discovery via public-profile scraping. We send search terms; we receive public profile data. No merchant data flows to TikAPI.
• Shopify — merchant store data accessed via OAuth tokens we receive from merchants.

7. Vulnerability disclosure

If you believe you've discovered a security vulnerability in SeedPeep, please email [email protected] with a description and reproduction steps. We will acknowledge reports within 2 business days and work with you to validate, remediate, and credit findings where appropriate. Please give us a reasonable window to remediate before any public disclosure.

We do not currently operate a paid bug-bounty programme but will recognise material findings publicly with the reporter's consent.

8. Incident response and breach notification

• Detection: Application and infrastructure logs are monitored for anomalies. Security-relevant events trigger alerts to named personnel.
• Response: Upon detection of a security incident, we will contain the issue, assess the scope and impact, remediate the root cause, and document a post-mortem.
• Merchant notification: If a security incident results in unauthorised access to your data, we will notify affected merchants by email within 72 hours of confirming the breach, in accordance with GDPR Article 33 timelines. Notifications include the nature of the incident, data types affected, mitigations taken, and recommended actions.
• Platform partner notification: Where contractually required (e.g., Shopify, TikTok Shop), we will notify the relevant platform partner via their designated channel within the same window.

9. Data classification and retention

• We retain merchant and customer data only as long as needed to deliver the service. Categories include account data, Shopify connection tokens, creator data, gift partnership data, and attribution data.
• On account closure or upon written request, all merchant data — including any data accessed from third-party APIs on the merchant's behalf — is hard-deleted from our production database within 30 days. Confirmation of deletion is provided on request.
• Creators may unsubscribe from any further outreach via the link included in every pitch email; that opt-out is honoured permanently.

10. Privacy and data protection

Our public Privacy Policy describes what personal data we collect, how we use it, and the rights you have over it. We do not have a formally appointed Data Protection Officer — our organisation does not meet the EU GDPR threshold for mandatory DPO appointment — but inquiries about data protection can be sent to [email protected].

11. Certifications

As an early-stage company, SeedPeep has not yet pursued independent security certifications such as SOC 2 Type II, ISO 27001, or ISO 27701. These are on our roadmap as we scale. Our underlying infrastructure provider Railway is SOC 2 Type II certified, and the underlying cloud providers (AWS) hold SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, and ISO 27018 certifications.

12. Changes to this page

We may update this page as our security practices evolve. Material changes will be reflected in the "Last updated" date at the top.

Contact

Security questions, vulnerability reports, or incident notifications: [email protected].

Mailing address: Woodpigeon Inc.. For our full registered address, see our Privacy Policy.