Security & data handling.
How we protect your customer data, integration credentials, and tenant isolation. Built for the kind of due diligence your IT team will actually run on a vendor.
Your integration credentials never live as plaintext.
When you connect a payment processor, SMS provider, or accounting tool, the API keys are encrypted before they touch the database. Even our engineers can't read them in plaintext — they're decrypted only inside controlled server processes when a job needs to run.
Your data stays yours. Period.
Other companies on the platform can never read or write your data — and your store managers see only the stores they're assigned to. The isolation is enforced at the database layer, not just in UI filters. A district manager covering Nashville and Memphis sees exactly Nashville and Memphis; a query that asks for any other store returns zero rows.
| Data type | How it's protected |
|---|---|
| Customers, products, invoices, deliveries | Scoped to your company only — other tenants can't see your data even if their app code asked for it |
| Lifecycle tables (notes, activity, line items) | Inherit isolation from their parent records — no leak paths through join tables |
| Staff role changes | Promotion/assignment go through guarded paths only — never a raw database update |
| Store assignment changes | Same — every staff-store change is checked, logged, and reversible |
| Integration credentials | Read-only from the app — keys are decrypted only inside controlled server processes |
Customer PII never reaches Anthropic.
Every LLM call routes through a shared redaction helper that strips identifying fields before any prompt is constructed. The agent gets enough context to do its job (purchase history, product preferences, lifecycle stage) but nothing that could de-anonymize the customer if logged.
Stripped before AI
What the AI sees
Immutable trail for every sensitive action.
Every sensitive change captures who did it, when, and what changed — including IP and device. The log can be read but never edited or deleted, so when something goes sideways you have an unambiguous record. Useful for both internal accountability and the kind of audit your CPA might run.
Where we are and where we're going.
We don't claim certifications we don't have. Here's the actual state of each compliance and security commitment, updated as we ship.
- Database-level encryption for all integration credentialsShipped
- Tenant data isolation across every customer-facing tableShipped
- Immutable audit log of every sensitive changeShipped
- Customer PII never sent to AI providersShipped
- Per-user rate limiting on sensitive operationsShipped
- Daily backups (managed, 7-day retention)Shipped
- PCI-compliant card tokenization (Helcim hosted fields)In progress
- SOC 2 Type I attestationPlanned
Reporting a vulnerability
Found something? We'd rather hear from you than read about it on a bug bounty leaderboard. Email austin@retailgenie.io with reproduction steps. We respond within 24 hours.
We don't have a formal bug bounty program yet, but we credit responsible disclosure on the changelog and send a thank-you the way real humans do.
Looking for the integration list? See /integrations