Skip to content
C
Cartly
Platform launch: May 1, 2026
Try all features now — create your store for free

Security at Cartly

Security is foundational to the Cartly platform. We protect merchant data, customer information, and payment transactions with multiple layers of defense. This page describes our security practices and how to report vulnerabilities.

Infrastructure Security

  • Isolated environments: Multi-tenant architecture with strict data isolation between shops using row-level security (RLS) at the database level
  • Cell-based architecture: Horizontal scaling via isolated infrastructure cells, preventing cross-tenant interference and limiting blast radius of any incident
  • Network security: All external traffic is encrypted with TLS 1.3. Internal service communication uses mutual TLS where applicable.
  • Firewall and access control: Network segmentation with strict firewall rules. Only necessary ports are exposed. SSH access requires key-based authentication.
  • DDoS protection: Cloudflare-based DDoS mitigation for all public-facing endpoints with automatic traffic analysis and filtering
  • Automated backups: Daily encrypted database backups with point-in-time recovery capability. Backups are tested regularly for integrity.

Application Security

  • Authentication: JWT-based authentication with configurable session expiration. Two-factor authentication (TOTP) available for merchant and admin accounts.
  • Authorization: Role-based access control (RBAC) with principle of least privilege. Every API endpoint enforces permission checks.
  • Input validation: All user inputs are validated and sanitized server-side. GraphQL queries are subject to depth limiting (max 10) and complexity analysis (max 200).
  • CSRF protection: Cross-site request forgery tokens required for all state-changing operations.
  • Rate limiting: Configurable rate limits on all API endpoints to prevent abuse and brute-force attacks.
  • Idempotency: All state-changing endpoints require an X-Idempotency-Key header to prevent duplicate operations.
  • Dependency management: Automated dependency scanning and updates. Known vulnerabilities are patched within 48 hours of disclosure.

Data Protection

  • Encryption at rest: All databases and file storage use AES-256 encryption at rest
  • Encryption in transit: All data transmitted between clients and servers uses TLS 1.3
  • Data minimization: We collect only the data necessary to provide the Service. Personally identifiable information (PII) is never logged.
  • Data retention: Clearly defined retention policies with automatic purging of expired data. See our Privacy Policy for details.
  • Right to deletion: Merchants and customers can request complete data deletion at any time

Payment Security

  • PCI compliance: All payment processing is handled by Stripe, which is PCI DSS Level 1 certified — the highest level of certification in the payment industry
  • No card storage: Cartly never stores, processes, or transmits full credit card numbers. All card data is handled exclusively by Stripe.
  • Webhook verification: All Stripe webhook payloads are verified using cryptographic signatures before processing
  • Secure checkout: Temporal-powered checkout with Saga pattern ensures transactional integrity — every authorized payment creates an order

Access Control

  • Principle of least privilege: Internal team members have access only to systems and data required for their role
  • Audit logging: All administrative actions across the platform are recorded in tamper-evident audit logs with timestamps, user IDs, and action details
  • Key management: Secrets and API keys are stored in environment variables, never in code repositories. The server refuses to start if critical secrets (e.g., JWT_SECRET) are missing.
  • OAuth 2.0: Third-party applications access merchant data only through scoped OAuth tokens with explicit user consent

Vulnerability Disclosure

We value the security research community and welcome responsible disclosure of vulnerabilities. If you discover a security issue, please report it to us:

  • Email: security@cartly.pro
  • Response: We will acknowledge your report within 24 hours and provide an initial assessment within 72 hours
  • Scope: All Cartly-operated services, APIs, and web properties are in scope

Guidelines for researchers:

  • Do not access, modify, or delete data belonging to other users
  • Do not perform denial-of-service attacks or social engineering
  • Provide sufficient detail to reproduce the issue
  • Allow reasonable time for remediation before public disclosure

We are committed to working with researchers in good faith and will not pursue legal action against those who follow these guidelines.