Security

In transit

Connections to the marketplace and to every provider we call (the database, AI model providers, payments, email) are made over TLS.

At rest

Data is stored on Google Cloud, which encrypts data at rest. On top of that, we add our own envelope encryption for the most sensitive credentials you give us:

• Provider secrets and connection tokens — the bring-your-own-key provider keys you supply and any platform access token (for example a connected Shopify store’s offline token) are encrypted with AES-256-GCM, an authenticated encryption scheme, using a fresh random 96-bit nonce per value and a 128-bit authentication tag. A tampered or wrong-key value fails to decrypt rather than returning corrupt data.
• Fail-closed — if the encryption key is missing or malformed, secret operations error out; we never fall back to storing a secret in plaintext.

• API keys you mint are high-entropy random tokens stored only as a SHA-256 hash plus the last four characters — we cannot recover the original key, and we verify presented keys in constant time to resist timing attacks.
• Provider secrets are stored only as the AES-256-GCM ciphertext plus the last four characters. The plaintext is decrypted transiently in memory only to make the outbound call your plugin needs, and is never logged or returned.
• Exports and logs are secret-safe by construction — your data export shows API keys as last-four only and provider secrets as provider name plus last-four only; never any plaintext, hash or ciphertext. Our logs reference identifiers, not secret material.

• Isolation. Each merchant (tenant) is isolated from every other. Plugin data such as loyalty members, reviews and bookings is physically partitioned per tenant and site, and every server-side read re-verifies the tenant before acting — so a query in one tenant can never reach another tenant’s data.
• The single door. Every plugin API call flows through one gateway that, in order, parses and resolves the presented key (constant-time, rejecting revoked keys), resolves the tenant and site, enforces where the key may be presented from (a browser publishable key can never reach a server-only handler, and vice versa), checks the subscription entitlement, and enforces usage quotas and rate limits before any work is done. Access is decided in exactly one place.

• The collections that hold API keys, provider secrets and connection tokens are reachable only by trusted server-side processes using privileged credentials. Direct client access to them is denied by default by the database security rules.
• Within an account, actions are role-gated — destructive operations such as exporting or deleting the whole account are restricted to an account owner and require an explicit confirmation step.
• Administrative access to our infrastructure is limited to the personnel who need it.

Sensitive account actions are recorded in an append-only audit log, written only server-side, capturing the acting member’s identifier and email, the action, and a short summary. The audit log never stores secret material, and audit writes are best-effort so they can never block or roll back the action they describe.

Inbound platform webhooks (for example from Shopify) are verified before any processing — we compute an HMAC over the exact raw request bytes and compare it in constant time, rejecting anything that does not match with a 401 before we parse or act on the payload. Oversized bodies are rejected up front.

Our primary data store — holding account data, configuration and the personal data plugins collect — is hosted in the European Union (Cloud Firestore, eur3 multi-region), and our Tóg-paid AI path runs in an EU region by default. Some sub-processors are located outside the EU; those transfers are covered by appropriate safeguards described in our DPA and listed on our Sub-processors page.

The marketplace is built on managed, security-maintained platforms — Google Cloud and Firebase for the database, authentication and storage, and Vercel for hosting — which handle the underlying patching and network security of the infrastructure we run on. We keep our application dependencies updated and review changes before they ship.

If you believe you have found a security vulnerability, please tell us promptly and privately at support@togs.ie. Please give us enough detail to reproduce the issue and reasonable time to remediate before any public disclosure, and please do not access or modify other users’ data, degrade the service, or run intrusive automated scans. We will acknowledge your report and keep you updated. A formal disclosure policy and any dedicated security address are being finalised: [OWNER: Confirm the responsible-disclosure policy details and any dedicated security contact (e.g. security@togs.ie)].

Need a security questionnaire completed or a deeper conversation with your security team? Email support@togs.ie.

We will keep this page current as our practices evolve, updating the effective date and version above. We may improve our security measures at any time, provided the level of protection is not materially reduced.