Your data security is our priority
Strut is built with security at every layer. From encryption and authentication to infrastructure and access control, we protect your shop's data with enterprise-grade measures.
Last updated: March 31, 2026
Encryption in Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.3, the latest transport layer security protocol. This ensures your information is protected from interception during transit.
Encryption at Rest
Your data is encrypted at rest using AES-256, the industry-standard encryption algorithm trusted by governments and financial institutions worldwide.
Authentication
User authentication is powered by Supabase Auth with support for multi-factor authentication (MFA). Passwords are hashed using bcrypt and never stored in plain text.
Infrastructure
Strut is hosted on Vercel and Supabase — both SOC 2 Type II compliant providers. Our infrastructure leverages globally distributed edge networks for reliability and performance.
Access Control
We enforce role-based access control (RBAC) and the principle of least privilege across all systems. Team members only have access to the data and tools necessary for their role.
Regular Updates
We continuously monitor for security vulnerabilities and apply patches promptly. Dependencies are regularly audited and updated to address known CVEs.
Data Handling Practices
Backups & Disaster Recovery
Your data is automatically backed up daily with point-in-time recovery capabilities. Backups are stored in geographically separate locations to ensure availability even in the event of a regional outage. We regularly test our recovery procedures to verify data integrity and minimise recovery time.
Incident Response
We maintain a documented incident response plan that covers detection, containment, eradication, and recovery. In the event of a security incident that affects your data, we will notify impacted users promptly and provide clear guidance on any steps you may need to take.
Employee Access Controls
Access to production systems and customer data is restricted to authorised personnel on a need-to-know basis. All access is logged and audited regularly. Team members undergo security awareness training and follow strict authentication requirements including MFA.
Third-Party Vendor Assessment
We evaluate the security posture of all third-party services before integration. Our key infrastructure providers — Vercel and Supabase — maintain SOC 2 Type II compliance, and we regularly review their security certifications and data processing agreements.
Compliance
Strut is committed to meeting the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA) for the handling of personal information in Canada.
Our infrastructure partners — Vercel and Supabase — are SOC 2 Type II compliant, providing independently audited assurance of their security, availability, and confidentiality controls. We continuously assess our own practices against industry best standards to maintain the highest level of data protection.
Reporting Vulnerabilities
We value the security research community and encourage responsible disclosure of any vulnerabilities you may discover. If you believe you have found a security issue in our platform, please report it to:
Please include a detailed description of the vulnerability, steps to reproduce it, and any potential impact. We will acknowledge your report within 48 hours and work with you to understand and resolve the issue promptly. We ask that you allow us a reasonable time to address the vulnerability before making any public disclosure.
See also: Privacy Policy · Terms of Service