Security

Knytt's infrastructure is built with security as a foundational requirement: - **Cloud hosting:** Our services are hosted on industry-leading cloud providers with SOC 2 Type II and ISO 27001 certifications. - **Network security:** All traffic is routed through firewalls and intrusion detection systems. We use network segmentation to isolate critical components. - **DDoS protection:** We employ enterprise-grade DDoS mitigation to ensure service availability. - **Redundancy:** Our infrastructure is designed with redundancy and failover capabilities to maintain uptime.

We use strong encryption to protect your data at every stage: - **In transit:** All data transmitted between your browser, your Shopify store, and our servers is encrypted using TLS 1.2 or higher. - **At rest:** All stored data, including product catalogs, search queries, and user information, is encrypted using AES-256 encryption. - **Secrets management:** API keys, credentials, and other secrets are stored in dedicated secrets management systems and are never hardcoded or logged.

We follow security best practices throughout our development lifecycle: - **Secure development:** Our engineering team follows OWASP guidelines and secure coding practices. - **Code review:** All code changes undergo peer review before deployment. - **Dependency management:** We regularly audit and update third-party dependencies to address known vulnerabilities. - **Input validation:** All user inputs are validated and sanitized to prevent injection attacks. - **Authentication:** We use industry-standard authentication protocols and enforce strong password requirements.

We implement strict controls to limit data access: - **Principle of least privilege:** Team members only have access to the systems and data necessary for their role. - **Multi-factor authentication:** MFA is required for all internal systems and administrative access. - **Audit logging:** We maintain comprehensive audit logs of access to sensitive systems and data. - **Data isolation:** Each merchant's data is logically isolated to prevent cross-tenant access. - **Data retention:** We retain data only as long as necessary and provide mechanisms for data deletion upon request.

Our Shopify integration is built with security in mind: - **OAuth 2.0:** We use Shopify's OAuth 2.0 flow for secure authentication—we never store your Shopify admin password. - **Scoped permissions:** We request only the minimum permissions necessary to provide our services. - **Webhook verification:** All incoming Shopify webhooks are cryptographically verified to prevent tampering. - **API rate limiting:** We implement rate limiting to protect both our systems and your Shopify store from abuse.

We maintain a structured incident response process: - **Detection:** Automated monitoring and alerting systems detect potential security incidents in real-time. - **Response:** Our team follows a documented incident response plan to contain and remediate security events. - **Notification:** In the event of a data breach that affects your information, we will notify you within 72 hours in accordance with applicable laws. - **Post-incident review:** After each incident, we conduct a thorough review to identify root causes and implement preventive measures.

We are committed to meeting industry security standards: - **GDPR:** We comply with the General Data Protection Regulation for handling personal data of EU residents. - **CCPA:** We comply with the California Consumer Privacy Act for California residents. - **SOC 2:** We are working toward SOC 2 Type II certification as we scale. We regularly review our security posture and update our practices to align with evolving standards and regulations.

We value the security research community and encourage responsible disclosure of vulnerabilities. If you discover a security issue, please report it to us: - **Email:** security@knytt.io Please include a detailed description of the vulnerability and steps to reproduce it. We ask that you: - Give us reasonable time to investigate and address the issue before public disclosure. - Avoid accessing or modifying other users' data. - Act in good faith to avoid disruption to our services. We will acknowledge receipt of your report within 48 hours and provide regular updates on our progress.

For security-related questions or concerns, please contact our security team: - **Email:** security@knytt.io - **Website:** https://knytt.io/contact