Built like the bank we pay through.

Multi-tenancy

RLS or it didn't happen.

Every tenant-scoped table in our Postgres schema enforces row-level security. The app.current_merchant_ids() helper resolves the user's memberships from merchant_users, and every SELECT / INSERT / UPDATE policy filters on it. Cross-tenant data exposure is structurally impossible — even if our application code has a bug, the database refuses the query.

We carry an automated RLS smoke test in CI that creates two test merchants and asserts merchant A's session can't read merchant B's rows. Build doesn't pass without it.

Audit log

Append-only, every state transition.

audit_log is an append-only table that captures every meaningful event: affiliate approvals/suspensions, commission state transitions, payout sends, tax form submissions, Mercury connections, custom domain changes, GDPR requests, even branding edits. It writes via service-role only — there's no INSERT/UPDATE/DELETE policy that allows merchants to tamper with their own history.

A daily retention cron (purge_audit_log_older_than(p_days)) trims anything older than your configured retention (default 365 days). Enterprise plans get configurable retention SLAs.

PII handling

Customer data hashed at the source.

• Yes Customer emails, phones, IPs hashed with a per-merchant random salt at the WP / Shopify layer before reaching us
• Yes Same merchant + same email always hashes consistently (so we can match across orders); cross-merchant collisions are statistically impossible
• Yes GDPR data export + deletion endpoints in Settings → Privacy
• Yes Affiliate erasure: clears PII, drops Vault secrets, deletes auth user, preserves financial history