Security

Security is foundational to Agent Rush. We protect your data and your customers' data with industry-standard practices at every layer.

Encryption

  • AES-256-GCM encryption for all sensitive tokens (Shopify access tokens, API keys)
  • TLS 1.3 (HTTPS) for all data in transit
  • Encryption keys derived using scrypt with independent salt
  • No plaintext secrets in logs or error messages

Authentication & Authorization

  • Supabase Auth with secure session management
  • OAuth 2.0 for Shopify integration (standard authorization code grant)
  • Per-user data isolation — users can only access their own agents, stores, and conversations
  • API keys scoped to individual agents with prefix-based identification

Infrastructure

  • Hosted on Vercel — SOC 2 Type II certified, ISO 27001 compliant
  • Database on Supabase (PostgreSQL) — SOC 2 Type II certified
  • Edge network for low-latency global access
  • Automatic scaling with no single points of failure

API Security

  • Rate limiting on all API endpoints (fail-closed for critical routes)
  • CSRF token validation for state-changing requests
  • HMAC-SHA256 signature verification for all Shopify webhooks
  • Input validation and sanitization using Zod schemas
  • GraphQL query parameterization to prevent injection

Monitoring & Logging

  • Structured logging for security events and API access
  • Request ID tracing for incident investigation
  • Webhook idempotency tracking to prevent replay attacks
  • Automated alerts for unusual activity patterns

Data Protection

  • Per-user data isolation at the database level
  • Shopify tokens encrypted at rest, deleted on disconnect
  • Soft-delete architecture — data can be recovered or permanently purged
  • GDPR compliance webhooks for customer data requests and erasure
  • Regular review of data retention policies

Responsible Disclosure

If you discover a security vulnerability in Agent Rush, we appreciate your help in disclosing it responsibly. Please report security issues to security@agent-rush.com. We ask that you:

  • Provide sufficient detail to reproduce the issue
  • Give us reasonable time to fix the issue before public disclosure
  • Do not access or modify other users' data

We will acknowledge receipt within 48 hours and work to resolve confirmed vulnerabilities promptly.