Security & Trust

    Security & data handling.

    How we protect your customer data, integration credentials, and tenant isolation. Built for the kind of due diligence your IT team will actually run on a vendor.

    Encryption at rest

    Your integration credentials never live as plaintext.

    When you connect a payment processor, SMS provider, or accounting tool, the API keys are encrypted before they touch the database. Even our engineers can't read them in plaintext — they're decrypted only inside controlled server processes when a job needs to run.

    Helcim payment processor keys
    Twilio SMS credentials
    QuickBooks Online connection
    Shopify storefront connection
    Resend email credentials
    EDI partner credentials
    Multi-store data isolation

    Your data stays yours. Period.

    Other companies on the platform can never read or write your data — and your store managers see only the stores they're assigned to. The isolation is enforced at the database layer, not just in UI filters. A district manager covering Nashville and Memphis sees exactly Nashville and Memphis; a query that asks for any other store returns zero rows.

    Data typeHow it's protected
    Customers, products, invoices, deliveriesScoped to your company only — other tenants can't see your data even if their app code asked for it
    Lifecycle tables (notes, activity, line items)Inherit isolation from their parent records — no leak paths through join tables
    Staff role changesPromotion/assignment go through guarded paths only — never a raw database update
    Store assignment changesSame — every staff-store change is checked, logged, and reversible
    Integration credentialsRead-only from the app — keys are decrypted only inside controlled server processes
    AI privacy

    Customer PII never reaches Anthropic.

    Every LLM call routes through a shared redaction helper that strips identifying fields before any prompt is constructed. The agent gets enough context to do its job (purchase history, product preferences, lifecycle stage) but nothing that could de-anonymize the customer if logged.

    Stripped before AI

    Customer phone numbers
    Customer email addresses
    Customer free-text notes
    Customer street addresses
    Internal customer_id UUIDs
    Payment card data (handled by Helcim)

    What the AI sees

    Anonymized customer hash
    Purchase category history
    Product preferences
    Lifecycle stage
    Days since last visit
    Aggregate spend bucket
    Audit logging

    Immutable trail for every sensitive action.

    Every sensitive change captures who did it, when, and what changed — including IP and device. The log can be read but never edited or deleted, so when something goes sideways you have an unambiguous record. Useful for both internal accountability and the kind of audit your CPA might run.

    Staff role changes and store assignments
    Integration credential updates
    Invoice voids and cancellations
    Refunds and payment adjustments
    Loyalty point redemptions
    Cross-company access by franchise-tier or platform staff
    AI agent invocations (with PII-stripped context)
    Compliance roadmap

    Where we are and where we're going.

    We don't claim certifications we don't have. Here's the actual state of each compliance and security commitment, updated as we ship.

    • Database-level encryption for all integration credentialsShipped
    • Tenant data isolation across every customer-facing tableShipped
    • Immutable audit log of every sensitive changeShipped
    • Customer PII never sent to AI providersShipped
    • Per-user rate limiting on sensitive operationsShipped
    • Daily backups (managed, 7-day retention)Shipped
    • PCI-compliant card tokenization (Helcim hosted fields)In progress
    • SOC 2 Type I attestationPlanned

    Reporting a vulnerability

    Found something? We'd rather hear from you than read about it on a bug bounty leaderboard. Email austin@retailgenie.io with reproduction steps. We respond within 24 hours.

    We don't have a formal bug bounty program yet, but we credit responsible disclosure on the changelog and send a thank-you the way real humans do.

    Looking for the integration list? See /integrations