Back to Docs
Trust & Compliance

Security & Compliance

Tenant Isolation

Every tenant is isolated. Every request is scoped. No exceptions.

No cross-tenant data access. No cross-catalog reasoning. Tenant ID is present on every object in the system.

  • Enforced By: TenantScope middleware — every database query includes a tenant_id filter. Any request without a valid tenant scope returns 403.
  • Connector credentials: OAuth tokens and API keys are encrypted per-tenant and never shared across accounts.
  • Test Evidence: tenant_scope_isolation.spec.ts

Patch-Only Writes

No direct mutations to your catalog. Ever.

The conversational layer creates Jobs and Patches. The execution engine applies them. There is no code path that bypasses the Patch system to write directly to a connector.

  • Enforced By: PatchGate middleware — connector.write() is blocked without a valid Patch reference. Any attempt to write without a Patch returns 403.
  • Test Evidence: patchgate_blocks_direct_write.spec.ts

Immutable Audit Trail

Every action is logged, attributed, and permanent.

Approval records — who approved, when, what scope, under what policy — are write-once. They are never modified or deleted after creation.

  • Patch history: Every proposed change records who created it, who approved it, what changed, and when.
  • Deployment logs: Every deployment to your catalog is versioned with before/after snapshots.
  • Rollback capability: Any deployment can be reversed instantly. Rollback history is retained alongside forward changes.
  • Session activity: Login, logout, and administrative actions are logged with timestamps and user attribution.
  • Enforced By: Approval table has no UPDATE/DELETE permissions. DELETE on an approval record returns 403.
  • Test Evidence: approval_immutable_record.spec.ts

Lifecycle Enforcement

No feature may bypass the engine lifecycle.

Every change flows through: normalize → detect → propose → approve → deploy → audit. No step is optional. No shortcut exists.

  • Deploy without approval returns 403.
  • Sandbox is the default deployment target. Production writes require explicit escalation.
  • Enforced By: LifecycleGuard state machine enforces step ordering. DeployTarget defaults to SANDBOX. Production requires Approval.escalation = true.
  • Test Evidence: lifecycle_guard_order.spec.ts, deploy_target_sandbox_default.spec.ts

Data Handling

Encryption

  • In transit: All data is encrypted using TLS 1.3 for every connection — between your browser and EKOM, between EKOM and your data sources, and between internal services.
  • At rest: All stored data is encrypted using AES-256. Database backups and file storage use the same standard.

Data Residency

  • All catalog data is processed and stored in SOC 2 Type II certified infrastructure.
  • Data never leaves the processing region without explicit tenant configuration.

Data Retention

  • Active catalog data is retained as long as your account is active.
  • Audit logs are retained for a minimum of 12 months.
  • Upon account termination, all tenant data is permanently deleted within 30 days.

Access Controls

Authentication

  • Shopify OAuth for store authentication and connector setup.
  • Session-based authentication with encrypted, HTTP-only cookies.
  • Sessions expire after inactivity and are invalidated on logout.

Authorization

  • All mutation endpoints require authenticated sessions.
  • Role-based access controls ensure only authorized users can approve patches or deploy changes.
  • Admin actions are logged with full attribution.

API Security

  • All API endpoints validate request bodies against strict Zod schemas before processing.
  • Rate limiting is applied to prevent abuse.
  • No endpoint accepts unvalidated input.

Idempotent Deployment

Applying the same patch twice produces the same result.

Patches use field-level before/after values. Conflict detection prevents stale overwrites. If a deployment is interrupted and retried, your catalog ends up in the correct state — not a corrupted one.

  • Enforced By: ConflictDetector — compares before-value against current field value. Duplicate patch apply returns no-op, not error.
  • Test Evidence: conflict_detector_idempotent.spec.ts

Compliance

SOC 2 Type II

EKOM's infrastructure and operational controls are aligned with SOC 2 Type II requirements covering security, availability, and confidentiality.

GDPR

  • EKOM processes catalog product data, not personal consumer data. Where personal data is involved (account holder information), full GDPR rights apply.
  • Data subject access and deletion requests are honored within required timelines.
  • Data processing agreements are available upon request.

CCPA

  • California Consumer Privacy Act compliance is maintained for any personal information collected from California residents.
  • Opt-out and deletion rights are supported.

Incident Response

  • Security incidents are triaged within 1 hour of detection.
  • Affected tenants are notified within 24 hours.
  • Post-incident reports are provided for any event affecting customer data.

Responsible Disclosure

If you discover a security vulnerability, please contact us at security@ekom.ai. We take all reports seriously and will respond within 48 hours.

Related
Platform Principles

Non-negotiable commitments for how EKOM handles your catalog data.