Security Policy

Last updated: April 23, 2026

1. Our Commitment

Security is foundational to the Drapify service. We protect merchant and shopper data through layered controls covering people, processes, and technology.

2. Encryption

  • All data is encrypted in transit using TLS 1.2 or higher.
  • All data is encrypted at rest using industry-standard encryption (AES-256 or equivalent).
  • Backups are encrypted using the same standards.

3. Access Control

  • Access to production systems is restricted to authorized personnel under the principle of least privilege.
  • All staff accounts require strong passwords and multi-factor authentication.
  • Access is logged and reviewed periodically.

4. Network and Application Security

  • All public endpoints are served exclusively over HTTPS.
  • Web application firewall and DDoS mitigation are in place at the network edge.
  • Strict security headers (HSTS, content-type protection, permissions policy) are enforced.
  • Authentication tokens are scoped, short-lived, and rotated regularly.
  • Webhooks are verified using cryptographic signatures.

5. Data Segregation

Production and non-production environments are fully separated. Personal production data is never used in test or development environments.

6. Monitoring and Logging

  • Continuous monitoring of application and infrastructure activity
  • Automated alerting for anomalous behavior
  • Audit logs of administrative actions are retained for at least 12 months

7. Vulnerability Management

  • Regular dependency and security patching
  • Static and dynamic analysis as part of the release process
  • We welcome responsible disclosure of vulnerabilities at security@drapify.ai

8. Backup and Recovery

Personal data is backed up on rolling schedules with defined retention. Recovery procedures are tested periodically.

9. Vendor Security

Third-party service providers used to deliver the Service are vetted for security practices and bound by confidentiality and data-processing agreements.

10. Compliance Posture

We design and operate Drapify with reference to GDPR, CCPA, and Shopify's Protected Customer Data Requirements.

11. Reporting a Security Concern

Email: security@drapify.ai
Acknowledgement: within 2 business days

Related Policies