Security

LiftCommerce runs on Cloudflare's global edge network, distributing traffic across 300+ data centers worldwide. Every request is protected by Cloudflare's enterprise-grade DDoS mitigation, which absorbs and deflects volumetric attacks before they reach our application layer.

Our API layer is deployed as Cloudflare Workers — stateless, isolated execution environments that eliminate traditional server attack surfaces. There are no persistent servers to compromise, no SSH access vectors, and no long-running processes.

All static assets and the Next.js frontend are served via Cloudflare's CDN with automatic cache invalidation, reducing our attack surface and improving availability.

User authentication is handled by Supabase Auth, which implements industry-standard JWT (JSON Web Token) based sessions. Access tokens are short-lived (1 hour) and automatically refreshed using secure refresh token rotation.

OAuth integrations with Shopify, Amazon, eBay, and Etsy use the PKCE (Proof Key for Code Exchange) flow — the most secure variant of OAuth 2.0. This prevents authorization code interception attacks and is the recommended standard for public clients.

Passwords are never stored in plaintext. Supabase uses bcrypt hashing with a cost factor of 10. We additionally encourage users to enable multi-factor authentication for their accounts.

All data stored in our Supabase PostgreSQL database is encrypted at rest using AES-256 encryption. This includes your account information, store data, AI agent outputs, and usage history.

All data in transit between your browser, our edge workers, and our database is encrypted using TLS 1.3 — the latest and most secure version of the Transport Layer Security protocol. We enforce HTTPS on all endpoints and reject unencrypted connections.

Row-Level Security (RLS) policies are enforced at the database level. This means your data is isolated from other users' data at the storage layer — not just at the application layer.

Every API request is authenticated via JWT verification at the Cloudflare Worker edge. Requests without a valid token are rejected before reaching any application logic.

We enforce rate limiting on all API endpoints to prevent abuse and brute-force attacks. Limits are applied per user, per IP, and per endpoint. Exceeding limits triggers temporary blocks with exponential backoff.

OAuth tokens for connected marketplaces are stored encrypted and are scoped to the minimum permissions required to provide the Service. Tokens are rotated regularly and revoked immediately upon account disconnection.

We take security reports seriously and commit to responding within 48 hours. If you discover a vulnerability in LiftCommerce, please report it to us before disclosing publicly — we appreciate responsible disclosure.

We ask that you do not access or modify other users' data, perform denial-of-service attacks, or disrupt the Service during your research. We will not pursue legal action against researchers who act in good faith.

We target 99.9% uptime for the LiftCommerce platform. Cloudflare's global network provides inherent redundancy — traffic automatically routes around regional outages.

Planned maintenance windows are communicated at least 24 hours in advance via email and our status page. Emergency maintenance is performed outside peak hours whenever possible.

We monitor the platform 24/7 with automated alerting for latency spikes, error rate increases, and anomalous traffic patterns.