Security

We take your data seriously.

Every technical decision is made with data security first. Here's what we do.

Tenant isolation

Each shop's data is isolated at the database level (Postgres Row-Level Security). Even if there's a bug in app code, the database itself prevents cross-account leakage.

Encryption in transit

All connections use HTTPS with TLS 1.3 and HSTS. Let's Encrypt certificates auto-renew.

Passwords & sessions

Passwords stored with Argon2id (the 2025 recommendation). Sessions in the database (revocable) — not JWTs. Optional TOTP per user.

Audit log

Every business mutation (sale, refund, stock adjust, role change) is recorded in an AuditLog table with user and timestamp.

Encrypted backups

Full database snapshot daily, gzipped and AES-256 encrypted, 30-day retention. Restore-ability verified automatically.

Abuse protection

Rate limiting on auth endpoints. fail2ban at the OS level. UFW firewall only allows SSH + HTTPS.

Vulnerability disclosure?

Email us at security@dafatr.com and we'll respond within 48 hours. Responsible disclosure always appreciated.