Skip to content

Security

Your data, your tenant, audit-logged.

CommercePulse runs as three hard-isolated planes: the public-facing buyer plane, the merchant cockpit plane, and the operator plane. They share no database, no memory and no agent context. Inside the merchant plane, your tenant is yours alone.

Per-tenant database

Every merchant gets a dedicated database schema. No shared rows, no JOIN-with- tenant_id, no chance of cross-tenant data leak.

Per-merchant encryption keys

Sensitive fields are encrypted at rest with a key minted per merchant. Compromise of one tenant's data never reveals another's.

Audit-logged agents

Every agent decision - price, escalation, refusal, return, voice action - lands in an append-only log with the reasoning the agent used.

GDPR consent registry

Buyer consent is captured per-purpose, per-channel, with timestamped provenance. Data subject access requests run from the cockpit.

WCAG 2.2 AA

Every surface - storefront chat, cockpit, voice - is accessibility-tested against WCAG 2.2 AA. AAA on critical paths.

Fail-loud refusals

The agent never quietly mis-answers. When it can't help - out of policy, out of stock, out of scope - it says so plainly and offers an escalation.

Compliance posture

What we're working toward.

We're early. We don't claim certifications we don't hold. Here is the honest table.

Standard Status When
GDPR Compliant Today
WCAG 2.2 AA Compliant Today
SOC 2 Type I In progress Targeting end of pilot
SOC 2 Type II Planned +12 months from Type I
ISO 27001 Planned Enterprise tier roll-out
PCI-DSS Out of scope Stripe handles card data; we never touch PANs.

Operational hygiene

What runs in production.

Twelve practices we hold ourselves to. Each one is testable; each one is auditable.

  • Per-tenant connection pools - no shared cursor across merchants.
  • Append-only audit log for every agent decision and operator action.
  • Encryption at rest (AES-256) and in transit (TLS 1.3 only).
  • Quarterly key rotation; broken-glass procedure for emergency rotation.
  • Operator console access requires JWT + IP allowlist + 2-of-2 review.
  • Pre-prod data is synthetic; we never copy production rows downstream.
  • Backups: daily incremental, weekly full, 30-day retention, restored monthly.
  • Vendor LLM calls are logged with redacted PII; we publish what we send.
  • Cost guardrails per tenant: hard cap, anomaly multiplier, fail-loud breach.
  • Incident postmortems published in your cockpit within 5 business days.
  • Open security disclosure: report responsibly, get acknowledged within 24h.
  • WCAG 2.2 AA gates merge-to-main on every surface change.

Need the security briefing pack?

We'll send architecture diagrams, the agent-decision audit format, and a draft DPA on request - to a verified domain.

Request the pack