Skip to main content

Security overview

HYGO Shop is operated by HYGO Inc. The platform runs on Cloudflare's global edge — Workers for the API tier, Pages for the marketing + docs + status sites, R2 for object storage, Postgres (Cloudflare-Tunneled droplet, with Neon as the provider-portable fallback) for canonical relational data.

Encryption

  • In transit — all public endpoints (hygoshop.com, api.hygoshop.com, docs.hygoshop.com, status.hygoshop.com) require TLS 1.2+. Cloudflare terminates TLS at the edge; backend hops between Cloudflare and origin run on Cloudflare's authenticated tunnel.
  • At rest — Postgres data is encrypted at rest (LUKS / managed-provider equivalent). R2 objects inherit Cloudflare's at-rest encryption.

Access control

  • Tenant scoping is enforced at the Worker route layer; Postgres row-level security gives a defense-in-depth check.
  • Cross-tenant reads are explicitly rejected. Every persisted row carries a tenant_id.
  • Admin actions inside HYGO Shop require re-authentication (SuperTokens-issued short-lived tokens).

Secrets management

  • All credentials (API keys, OAuth client secrets, database passwords) are stored as Cloudflare secrets — never in source.
  • Vendor SDK access tokens (Shopify, Amazon, Ayrshare, ...) are encrypted before persistence using a per-tenant key stored in a separate secret namespace.

Vendor scope minimization

HYGO Shop wraps every external service in an adapter package. Adapters expose only the surface the platform actually needs — vendor SDKs are never imported outside their adapter. This is a code-level boundary the lint suite enforces (pnpm lint:adapter-boundary).

OAuth scopes requested per integration are documented on each integration's page. We do not request payment scopes, DM scopes, advertising scopes, or "read all" scopes from any vendor.

Vulnerability handling

  • All public-facing code is reviewed in PR before merge.
  • Dependencies are pinned in lockfiles and updated on a regular cadence.
  • Reports go to security@hygoshop.com. We acknowledge within 1 business day and aim to remediate critical vulnerabilities within 7 days.

Subprocessors

The full list of subprocessors that touch tenant data is published at hygoshop.com/subprocessors. We notify customers in advance of changes.

See Data handling for what we store, why, and how long.