Security
Cassian™ handles sensitive store data every day. We take that seriously. Here's exactly how we protect your information, who has access, and what our commitments are.
Data protection
Infrastructure
Vercel
Next.js application hosted on Vercel's edge network. Automatic HTTPS, DDoS protection, and global CDN. US and EU regions available.
Supabase (PostgreSQL)
Managed PostgreSQL with row-level security (RLS) enforced at the database layer. Every query is scoped to the authenticated user’s organisation. Hosted in the United States (us-east-1). EU region on the roadmap.
Cloudflare R2
Screenshots and PDF reports stored on Cloudflare R2. Encrypted at rest, served via Cloudflare's global CDN with signed URLs.
Encryption & access control
All data in transit is encrypted with TLS 1.3. Every connection to Cassian — from browser to API to Shopify connector — is encrypted end-to-end. We enforce HTTPS everywhere with HSTS preload.
All data at rest is encrypted with AES-256. Database volumes, file storage, and backups are all encrypted. Encryption keys are managed by our infrastructure providers and rotated automatically.
Database queries are scoped to the authenticated user's organisation via row-level security (RLS). Internal team access follows least-privilege principles with audit logging on all data access.
Passwordless authentication via one-time codes. No passwords to steal, no credentials to leak. Enterprise customers can configure SSO (SAML) for centralised identity management.
AI & LLM data handling
Cassian AI™ uses Claude (Anthropic), GPT-5 (OpenAI), and Gemini (Google) for content analysis, translation quality scoring, and issue detection. All interactions with these models happen via their commercial API endpoints.
Neither Anthropic nor OpenAI train on data submitted via their commercial APIs.
All data processing is transient — page content is sent for analysis and discarded after scoring.
We do not store raw LLM prompts or responses beyond the structured results (scores, issues, suggestions).
No customer data is shared with third parties for advertising, profiling, or any purpose beyond the analysis you authorised.
GDPR
Cassian is designed for global ecommerce. Many of our customers operate in the EU and UK, and we treat GDPR compliance as a baseline requirement, not an add-on.
Data currently hosted in US East. EU region on the roadmap for EU/UK customers.
DPA available on request for all paying customers.
Close your account and all data is deleted within 30 days.
We implement all three mandatory Shopify GDPR webhooks: customer/data-request, customer/redact, and shop/redact.
Compliance roadmap
Full GDPR compliance via Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs). Data Processing Agreement (DPA) available on request. Right to erasure via account closure — all data deleted within 30 days. EU data residency on the roadmap.
We're working towards SOC 2 Type II certification. This covers security, availability, processing integrity, confidentiality, and privacy controls.
Information security management system certification. Part of our long-term commitment to enterprise-grade security practices.
If you've found a security vulnerability in Cassian, we want to hear about it. We take all reports seriously and will respond within 24 hours. Please do not disclose vulnerabilities publicly before we've had a chance to address them.
security@getcassian.com
For more detail on how we handle your data, refer to these documents.
We use cookies to keep you signed in and improve your experience. See our Cookie Policy for details.