RetailReady

Security

How we protect your data and EDI transmissions

Data in Transit

  • HTTPS/TLS — All connections to the RetailReady platform use TLS encryption. API calls, web access, and webhook notifications are encrypted end-to-end.
  • SFTP — EDI document transfers to retailers use SSH File Transfer Protocol with key-based authentication.
  • AS2 — Applicability Statement 2 (AS2) transmissions use signed and encrypted messages with digital certificates for retailer connections that require it.

Data at Rest

  • Credential encryption — Sensitive credentials (SFTP passwords, AS2 private certificates, API keys) are encrypted at rest using ASP.NET Data Protection.
  • Password hashing — User passwords are hashed using industry-standard algorithms via ASP.NET Identity. We never store plaintext passwords.
  • Database — Production databases are hosted on encrypted storage volumes.

Authentication & Access Control

  • JWT tokens — Session authentication uses short-lived JSON Web Tokens with refresh token rotation.
  • Email verification — All accounts must verify their email address before gaining full platform access.
  • Password policy — Minimum 8 characters, requiring uppercase, lowercase, and a digit.
  • Account lockout — Accounts are temporarily locked after 5 failed login attempts.
  • Google OAuth — Optional single sign-on via Google, using standard OAuth 2.0 authorization code flow.
  • Role-based access — Customer and admin roles with separate permission boundaries. Customers can only access their own data.

Infrastructure

  • Dedicated servers for the API, background engine, and EDI transmission services
  • Separate EDI server for SFTP and AS2 communication, isolated from the application layer
  • Firewall rules restricting access to necessary ports only
  • Regular security updates applied to all servers and dependencies

Application Security

  • Input validation — All user inputs are validated on both client and server sides. Server-side validation uses data annotations and Zod schemas.
  • SQL injection prevention — All database access uses Entity Framework Core parameterized queries. No raw SQL interpolation.
  • XSS protection — User-generated content is sanitized. The frontend uses Svelte's built-in HTML escaping and DOMPurify where raw HTML is rendered.
  • CSRF protection — SvelteKit's form actions include CSRF protection by default.
  • Rate limiting — Authentication endpoints are rate-limited to prevent brute-force attacks.

Third-Party Services

We integrate with a limited set of trusted third-party services:

  • Stripe — PCI DSS Level 1 certified payment processor. Payment data goes directly to Stripe and is never stored on our servers.
  • Google — OAuth authentication only. We request minimal scopes (email and profile).
  • Anthropic (Claude) — AI assistant queries. No personally identifiable information is sent in AI requests.
  • Resend — Transactional email delivery with TLS encryption.

EDI-Specific Security

  • Sandbox isolation — Practice mode documents are never transmitted to real trading partners. Sandbox data is clearly separated from live operations.
  • Per-customer isolation — Each customer's EDI documents, trading partners, and configurations are fully isolated. No cross-customer data access is possible.
  • AS2 certificate management — Trading partner certificates are stored encrypted and used only for their designated connections.
  • Audit trail — All document transmissions, status changes, and administrative actions are logged with timestamps and user attribution.

Incident Response

In the event of a security incident affecting customer data, we will notify affected customers within 72 hours with details about the incident, its impact, and remediation steps taken.

Reporting Vulnerabilities

If you discover a security vulnerability, please report it responsibly to security@retailreadyedi.com. We take all reports seriously and will respond within 48 hours.