Security

How PalUp protects merchant and customer data. Contact security@palup.ai for questions or vulnerability reports.

Infrastructure

PalUp runs on Google Cloud Platform using Cloud Run for compute and Cloud SQL for data storage.
All infrastructure is provisioned in the United States (us-central1) with automated patching and least-privilege IAM policies.
Cloud Run provides auto-scaling, container isolation, and zero-trust networking between services.
All data is encrypted at rest and in transit by default at the infrastructure layer.

Data Isolation

Every merchant's data is isolated through per-tenant Row Level Security (RLS) policies in Cloud SQL.
Tenant isolation is enforced at the database layer — no cross-tenant queries are possible, even in the event of an application-level vulnerability.
Each merchant can only access their own conversations, customer profiles, and attribution data.
Service-to-service communication uses authenticated internal endpoints with tenant context validation.

JWT-based authentication with Role-Based Access Control (RBAC) for all API access.
Shopify OAuth for merchant owners — store identity verified through Shopify's official OAuth flow.
Email/password with multi-factor authentication (MFA) for PalUp internal team members.
Session tokens are short-lived with automatic refresh. Revoked tokens are rejected immediately.

At rest: AES-256 encryption for all data stored in Cloud SQL and object storage.
In transit: TLS 1.3 for all data transmitted between clients, PalUp services, and subprocessors.
Encryption keys are managed through Google Cloud KMS with automatic rotation.
WebSocket connections use WSS (TLS-encrypted WebSocket) for all chat widget traffic.

Real-time anomaly detection monitors API traffic patterns, error rates, and resource utilization.
Audit logging captures every access event, configuration change, and data query for forensic review.
Cost velocity alerts detect unusual spending spikes that may indicate compromised API keys or abuse.
Kill switches enable immediate service suspension per-tenant or globally in the event of a security incident.
Structured logging with centralized aggregation enables rapid incident investigation.
Error tracking with automated alerting for application-level exceptions and failures.

PalUp maintains an internal incident response runbook covering five phases: detection, containment, notification, remediation, and post-incident review.
Detection: Automated monitoring triggers alerts for anomalous access patterns, error rate spikes, and data exfiltration indicators.
Containment: Kill switches and tenant-level service suspension enable immediate threat isolation.
Notification: In the event of a data breach affecting personal data, PalUp notifies the relevant supervisory authority within 72 hours of becoming aware, per GDPR Article 33. Affected data subjects and merchant controllers are notified without undue delay.
Remediation: Root cause analysis, patching, and verification that the vulnerability is resolved before restoring normal operations.
Post-incident reviews are conducted for all security events, with findings documented and remediation tracked to completion.

All subprocessors that handle merchant or shopper data are required to maintain a signed Data Processing Agreement (DPA) with PalUp.
PalUp evaluates subprocessor security posture, including SOC 2 Type II compliance, before engagement.
Subprocessor access is restricted to the minimum data necessary for their specific function.
The current subprocessor list is published at palup.ai/subprocessors and merchants are notified 30 days before any changes.

GDPR — data processing agreements, 72-hour breach notification, Data Subject rights support, and Standard Contractual Clauses for international transfers.
CCPA — no sale of personal information, right-to-know and right-to-delete support.
Shopify App Store requirements — mandatory GDPR webhooks (customers/data_request, customers/redact, shop/redact), secure handling of Protected Customer Data.

Security questions, vulnerability reports, or incident notifications: security@palup.ai.