Encryption

AES-256 at rest in AWS RDS, TLS 1.3 in flight. Database backups encrypted with separate keys, retained 30 days.

Access control

Role-based access at the workspace level. SSO (SAML, Google) on the Harbour plan. Audit log of every sensitive action, retained 12 months.

Hosting

AWS ap-southeast-2 (Sydney). Data stays in Australia. Multi-AZ failover, daily backups, point-in-time recovery to the minute.

Penetration testing

Annual third-party pen-test by a CREST-certified firm. Latest report (June 2025) available under NDA on request.

Incident response

4-hour notification SLA for any incident affecting customer data. Status page updates within 15 minutes of detection.

Data lifecycle

Cancel and your workspace goes read-only for 30 days, then is fully deleted within 14 days. We don’t keep ghost copies.

SOC2Type II audit in progress · target Q4 2026
ISO27001 aligned controls
GDPRStandard contractual clauses available
APPAustralian Privacy Principles compliant

A few specifics

Sub-processors

We use AWS (hosting), Stripe (billing), Postmark (transactional email), and Plausible (anonymous product analytics). Full sub-processor list at stocura.com/subprocessors; we notify customers 30 days before adding a new one.

What we read from your stack

Cin7 Core: catalog, stock, suppliers, orders. Shopify: catalog, orders, prices, cost-per-item. We do not read customer PII (names, emails, shipping addresses) from either system — only the order line items and totals we need for forecasting.

What we never do

  • Sell, lease, or share your data with third parties.
  • Use your data to train models for other customers.
  • Auto-place purchase orders without explicit confirmation.
  • Push price changes to Shopify or Cin7 without you clicking confirm.

Reporting a vulnerability

Email security@stocura.com — PGP key on the page footer of our security disclosure page. We acknowledge within 24 hours and aim to triage within five business days. Public credit (or anonymity) at your choice.