Security

Protecting your shipping data is core to how we build NinjaShip. Here's how we keep your information safe.

Encryption

  • All data in transit is encrypted via HTTPS with HSTS preloading (2-year max-age)
  • Integration credentials and OAuth tokens are encrypted at rest with AES-256-GCM
  • Passwords are hashed with bcrypt (12 salt rounds) — never stored in plaintext
  • API keys are bcrypt-hashed before storage — the full key is shown only once at creation

Authentication

  • Short-lived access tokens (15 minutes) with secure refresh token rotation (7 days)
  • Refresh tokens are stored server-side and invalidated on reuse
  • OAuth flows use cryptographically random state parameters with PKCE where supported
  • Login errors use generic messages to prevent account enumeration

API Security

  • All API inputs validated with strict schemas — malformed requests are rejected
  • Rate limiting on all endpoints: 10 requests/min for auth, 100 requests/min for general API
  • Webhook signatures verified with HMAC-SHA256 and timing-safe comparisons
  • Organization-level data isolation — users can only access their own organization's data

Infrastructure

  • Hosted on Vercel with automatic TLS and DDoS protection
  • Database hosted on Neon with encrypted connections
  • Security headers on every response: HSTS, CSP, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
  • No raw SQL — all database queries use a type-safe ORM with parameterized statements

Payment Security

  • All payment card data is collected via Stripe Elements — card numbers never touch our servers
  • NinjaShip does not store, process, or have access to your full card details
  • Stripe webhook events are verified using signature verification before processing

Compliance

  • Shopify mandatory webhook handlers: app/uninstalled, customers/redact, shop/redact
  • Data purge endpoints for integration disconnection and GDPR data deletion requests
  • Integration tokens are immediately revoked and deleted on app uninstall or disconnection

Report a Vulnerability

If you discover a security issue, please contact us immediately. We take all reports seriously and will respond promptly.