Skip to content
Security & data handling

How Ardent Seller protects your business data

You own your data, you can export it any time, and you can delete it when you leave. Below is the concrete list of how that works today — including what we have and what we don't.

This page is the public companion to our privacy policy and terms. The privacy policy is the legal document; this page is a plain-language summary of the security and data-handling controls we run today.

Last updated

Try Ardent Seller free Ask a security question
TLS everywhere · AES-256 at rest
In transit and at rest
Two-level tenant isolation
Account & entity-scoped queries
Two independent backup paths
Supabase daily DB + AWS off-platform copies
One-click data export
Full JSON + per-section CSV

What we run today

Each card describes a specific control, names the technology behind it, and links to the place in the product where you can see it for yourself.

Multi-tenant isolation

Every query against your business data is filtered by your account, and inventory, transactions, and procedures are additionally filtered by location.

  • Account-level isolation: Every read and write is filtered by accountId via centralized security helpers (verifyUserAccountAccess for reads, verifyUserWriteAccess for mutations). Cross-tenant data is unreachable by API design, not just by convention.
  • Entity-level isolation: Tables that hold per-location data — inventory, photos, transactions, transaction files, procedures, and equipment logs — are additionally filtered by the entity (location) you have selected. Switching entities in the app changes which data is fetched server-side, not what gets hidden in the UI.
  • User identity from the server: The authenticated user ID is read from the Supabase session on every request — never accepted as client input — so a tampered request cannot impersonate another user.

Transport security

TLS-A+ on every endpoint, strict HTTP response headers with no script-src `unsafe-inline`, plus DNS and email-authentication hardening — independently verified by SSL Labs, securityheaders.com, and Hardenize.

  • TLS in transit: All web traffic is served over HTTPS / TLS via Netlify. All Supabase Postgres connections require TLS. Backup buckets reject any non-HTTPS request via bucket policy.
  • SSL Labs — A+: Qualys SSL Labs grades our TLS configuration A+ on all backend servers (run the test yourself (opens in new tab) — result current as of May 15, 2026).
  • HTTP response headers: Every response from the marketing site and the app carries a strict Content-Security-Policy with default-src 'self', frame-ancestors 'none', and an allowlisted set of external script / connect / image sources. The script-src directive does not include 'unsafe-inline' — every script on every page is either same-origin static or explicitly allowlisted, which closes off the largest class of XSS escalations. Alongside CSP we ship Strict-Transport-Security: max-age=31536000; includeSubDomains, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, a Permissions-Policy that disables camera, microphone, and geolocation, and X-XSS-Protection: 0 (explicitly disabling the legacy browser XSS auditor, which is the modern recommendation from OWASP and MDN — the auditor itself introduced vulnerabilities, and CSP is the proper XSS defense).
  • securityheaders.com — A+: Scott Helme's securityheaders.com grades our HTTP response headers A+ (run the test yourself (opens in new tab) — result current as of May 15, 2026).
  • Hardenize — all green: Hardenize's comprehensive scan — which covers TLS, HTTP response headers, DNS (DNSSEC, CAA), and email authentication (SPF, DKIM, DMARC with p=reject, MTA-STS) — returns all-green findings for www.ardentseller.app. This is the broadest of the three checks and the only one that verifies our email-authentication and DNS posture (run the test yourself (opens in new tab) — result current as of May 15, 2026).

Encryption at rest

AES-256 for database storage, AWS KMS with customer-managed keys for backups, and an extra application-layer AES-256-GCM envelope for marketplace OAuth tokens.

  • Database storage: All database storage is encrypted with AES-256 by Supabase at the storage layer.
  • Backups: Backup buckets in our AWS account are encrypted with AWS KMS using a customer-managed key with automatic annual key rotation enabled.
  • Marketplace tokens (extra layer): Etsy and other marketplace OAuth tokens are encrypted with AES-256-GCM at the application layer before they touch the database, using node:crypto with a per-record 12-byte random IV and a 16-byte authentication tag. The encryption key is a 32-byte secret loaded from AWS Secrets Manager — not stored in source, not in the database.
  • Versioned wire format: Encrypted tokens are stored as v1:<iv>:<tag>:<ciphertext> so we can rotate keys or algorithms in place without a downtime migration.

Authentication

Supabase Auth backs sign-in. Email + password, magic link, and Google or Facebook OAuth are all supported. Passwords must be at least 16 characters.

  • Provider: Supabase Authentication.
  • Sign-in options: Email + password, passwordless magic link, and Google or Facebook OAuth — all live today and selectable from the sign-up and login pages.
  • Password policy: Minimum 16 characters on sign-up and password reset. We do not enforce arbitrary character-class rules — length beats complexity.
  • Sessions: The Supabase session is held in a cookie and re-validated server-side on every tRPC call. There is no long-lived bearer token shipped to the browser.
  • Team roles: Within an organization account, members hold one of four roles — owner (full access; only the owner can transfer ownership, change billing, or delete the account), manager (can manage team and data), user (can view and edit data), and auditor (read-only access).

Payments & card data

Card numbers never touch our infrastructure. Lemon Squeezy is our merchant of record and handles all PCI scope.

  • Hosted checkout: When you upgrade or buy credits, the app redirects you to a checkout page hosted on Lemon Squeezy's own domain. Card details are entered there, not on ardentseller.app. We never see, receive, or store a card number or CVV.
  • Merchant of record: Lemon Squeezy is the legal merchant of record for every transaction. They handle PCI compliance, sales-tax and VAT collection, chargebacks, and refunds. Our involvement on the payment leg ends at "send the customer to checkout."
  • What we do store: Subscription identifiers, order identifiers, plan, billing frequency, and the last-four digits of the card as returned by Lemon Squeezy for display in Settings. No primary account number (PAN), no CVV, no expiration date.
  • Webhook integrity: Lemon Squeezy webhook deliveries are verified against an HMAC signature on every request and deduplicated against a processed-events table, so a replayed or forged webhook cannot create a fraudulent charge or unlock a paid plan.

Data export

Your data is yours. You can download a full JSON export of your account at any time, plus per-section CSVs from every list view.

  • Full account export: A complete JSON export — inventory, transactions, procedures, entities, and attributes — is available from Settings → Data Management. Rate-limited to one export per hour per account.
  • Per-section CSV: Every list view in the app (inventory, transactions, vendors, customers, recipes, equipment, etc.) exports the current filtered, sorted result set as CSV with one click.
  • Locked-account export: If your account is locked due to inactivity, the bulk export still works from the locked screen — you don't have to pay to retrieve your data.
  • Reporting exports: Built-in reports (P&L, inventory valuation, depreciation schedule, sales by product, etc.) export as CSV and PDF.

Account & data deletion

You can delete your account yourself, and we run a multi-step inactivity policy with email warnings before any account is purged.

  • Self-serve deletion: From Settings → Data Management, an account owner can permanently delete their account. The flow requires typing DELETE EVERYTHING verbatim and cancels any active Lemon Squeezy subscription as part of the same transaction.
  • What's deleted: All business data (inventory, transactions, procedures, entities), all uploaded files and photos, all marketplace connections (with tokens revoked), audit records, invitations, and the Supabase auth user if this was the only account they belonged to.
  • Inactivity policy (Free): Warning email at 30 days, account lock at 60 days, full deletion at 75 days of inactivity. A daily evaluator Lambda runs in AWS to enforce this consistently.
  • Inactivity policy (Pay As You Go): Warning at 60 days, lock at 90 days, deletion at 180 days. Paid flat-rate plans (Maker, Artisan, Workshop) are not subject to inactivity deletion while their subscription is active.
  • Marketplace data: Disconnecting a marketplace stops importing new data and deletes cached tokens; you can also request deletion of all data imported from a specific platform via support.

Audit trail

Every mutation in the app writes an audit record so you can see who changed what, when, and from where.

  • What's logged: Inserts, updates, and deletes across inventory, transactions, procedures, entities, and team membership, plus production runs and inventory transfers. Each record stores the user, the affected record, a JSON diff of the change, and a timestamp.
  • Retention by plan: 7 days on the free plan and Pay As You Go by default. Maker and Artisan retain 30 days; Workshop retains 60 days. Pay As You Go users can upgrade to 30-day, 60-day, or unlimited retention from Settings.
  • Visible to you: Audit records are surfaced in the app on every record's detail view, so you can investigate a change without filing a support ticket.

Backups & disaster recovery

Two independent backup paths: Supabase takes daily database backups on its own infrastructure, and we additionally pull our own copies into an Object-Lock-protected S3 bucket in AWS us-east-2.

  • Daily database backups (Supabase): The managed Postgres platform runs an automated daily backup of the database with point-in-time-recovery support. These backups are stored on Supabase's own infrastructure and are independent of any AWS outage on our side.
  • Weekly off-platform database snapshot (our AWS account): In addition to Supabase's daily backups, we pull our own database snapshot every Sunday at 04:00 UTC into our AWS account. Retained for 12 weeks. This protects against a hypothetical Supabase-side incident where the platform-level backups are also affected.
  • Daily storage backups: Product photos, file attachments, and other user-uploaded content are copied daily at 03:00 UTC into the same AWS bucket. Retained for 30 days.
  • Where our copies live: A dedicated AWS S3 bucket in us-east-2 (Ohio) with KMS encryption (customer-managed key, rotation enabled), S3 Object Lock, and a bucket policy that denies any non-HTTPS request and blocks all public access.
  • Lifecycle: Older backups transition to Intelligent-Tiering after 90 days and to deep archive after 180 days to keep historical snapshots affordable without losing them.

Telemetry & privacy

Error monitoring and product analytics are scrubbed, sampled, and gated on consent.

  • Error monitoring (Sentry): Stack traces and a 10% sample of performance traces. sendDefaultPii is off; a beforeSend hook scrubs email addresses, auth tokens, cookies, and request bodies before any event leaves the browser. Sentry session replay is disabled.
  • Product analytics (PostHog): In-app interaction events and a sampled (~20%) session replay on a handful of pages (sign-up, onboarding, login, dashboard, pricing). IPs are anonymized at ingest, persistence is in-memory only (no cookies or localStorage), and the entire integration is gated on the Analytics-category consent in our cookie banner.
  • Marketing analytics (Umami): Cookieless, aggregate-only page analytics on public marketing pages. No personal data is collected or transmitted.
  • Email tracking: Recipient addresses on delivery-event records are stored as one-way cryptographic hashes, and the records are auto-purged after 90 days.

Rate limiting & abuse prevention

Sensitive endpoints — checkout, invitations, reports, exports, deletion — have per-user sliding-window rate limits.

  • Coverage: Checkout, team invitations, audit-trail reads, report generation, admin operations, account-lifecycle emails, session creation, procedure production runs, marketplace operations, full data export (1 / hour / account), and account deletion are all rate-limited server-side.
  • Webhook idempotency: Lemon Squeezy, Resend, and marketplace webhooks are deduplicated via an INSERT ... ON CONFLICT DO NOTHING on a dedicated processed-events table, so retries from providers are safe.
  • Background jobs: Long-running marketplace syncs use FIFO queues with dead-letter queues, capped retry counts, and reserved concurrency — a noisy or failing job cannot exhaust resources for the rest of the system.

Regional & legal posture

Data is processed in the United States. We support GDPR and CCPA rights through the export, deletion, and contact flows described above.

  • Data residency: The application runs on Netlify, the database is hosted by Supabase, and operational AWS infrastructure (backups, marketplace sync Lambdas, inactivity evaluator) runs in us-east-2 (Ohio).
  • GDPR: The export and deletion flows above cover the right of access, the right to portability, and the right to erasure. For correction or restriction-of-processing requests, contact us. The privacy policy documents Standard Contractual Clauses for international transfers.
  • CCPA: We do not sell or share personal information for cross-context behavioral advertising. California residents can exercise CCPA rights through the same export/deletion/contact paths.
  • Sub-processors: See the table below; the privacy policy carries the canonical list with each vendor's role.

What we don't have yet

Ardent Seller is built by a small team. We'd rather tell you what we haven't done than pretend otherwise.

Not yet SOC 2 certification

Ardent Seller is not SOC 2 certified, and there is no committed timeline for an audit today. If your procurement process requires a SOC 2 report, please tell us — concrete demand from real customers is what would move it onto the roadmap.

Not yet Third-party penetration test

We have not yet commissioned an independent penetration test. We run internal security reviews on every new router and rely on the principle of least privilege at every layer, but the third-party report does not exist yet.

Not yet Enterprise single sign-on (SAML / SCIM)

Sign-in today supports email + password, magic link, and Google or Facebook OAuth — enough for the small-team makers and sellers we build for. Enterprise SAML SSO and SCIM user provisioning are not on the roadmap. If your procurement process requires them, tell us — concrete demand from real customers is what moves a feature onto the roadmap.

Not yet Paid bug bounty

We accept and read every responsible-disclosure report at the contact form below, and we'll credit reporters in the changelog if they'd like, but there's no monetary bounty program yet.

Not yet Public status page

We plan to ship a public status and incident-history page, but it isn't on the public roadmap with a committed date yet. Until then, the contact form is the fastest way to report an availability issue.

Sub-processors

These are every vendor that processes your business data on our behalf. The privacy policy covers each role in more detail.

VendorPurposeRegion
SupabaseAuthentication and Postgres databaseUnited States
NetlifyApplication hosting (frontend + serverless API)United States
Amazon Web ServicesBackups (S3 + KMS) and marketplace sync infrastructureus-east-2 (Ohio)
Lemon SqueezySubscription billing, checkout, and credit-based usage billingUnited States
ResendTransactional and marketing email deliveryUnited States
SentryApplication error monitoring (scrubbed of PII)United States
PostHogIn-app product analytics and sampled session replay (consent-gated)United States
UmamiCookieless marketing-page analyticsEuropean Union
Cookie ChimpCookie consent managementEuropean Union

Frequently asked questions

Short, honest answers to the security questions we hear most.

Who can see my business data?

Only you and the team members you invite. Every database query is filtered by your account ID on the server, and the data your team members see is further filtered by the location (entity) you've granted them. The Ardent Workshop team does not access customer data unless you explicitly grant access for support, and any such access is logged.

What happens to my data if I cancel?

Your data stays accessible while your account is active — including during a subscription downgrade or pause. If you actively delete your account from Settings → Data Management, it is purged immediately. If your free or Pay As You Go account becomes inactive, you'll receive multiple warning emails — with a final export link — before anything is deleted.

Do you train AI models on my data?

No. Your business data is never used to train any AI model — ours, our vendors', or anyone else's. Ardent Seller does not have any in-product AI features that access your business data today. If we ever add one, it will be opt-in, scoped to your own inputs and outputs, and called out here before it ships.

Where is my data stored?

Application data lives in Supabase Postgres in the United States. Backups and marketplace sync infrastructure run in AWS us-east-2 (Ohio). Marketing-page analytics (Umami) run in the European Union.

How do I report a security issue?

Use the contact form and select the Security Report category so the message is routed to the right inbox. Every report is read by a human. We don't yet run a paid bounty, but we'll credit reporters in the changelog if they'd like and we ask for reasonable time to fix before public disclosure.

Will security features ever cost extra?

No. Encryption, multi-tenant isolation, audit trail, full data export, and account deletion are available on every plan, including the free plan. The only thing that varies by plan is audit-trail retention — not whether it exists.

Responsible disclosure

Found a security issue? Tell us.

Use the contact form below and pick the Security Report category so the message lands in the right inbox. We don't run a paid bug bounty yet, but every report is read by a human and we'll credit you in the changelog if you'd like. Please share enough detail to reproduce the issue and give us reasonable time to fix it before disclosing publicly.

Report a security issue See what we're building next