Our Security Commitment
LoyaltyTree is built with security-first principles. As a Shopify partner handling merchant and customer data, we understand the critical importance of protecting every piece of information entrusted to us.
Last Security Review: January 2026
AI-Built, Continuously Audited
LoyaltyTree is built entirely with AI-assisted development, enabling rapid iteration while maintaining rigorous security standards through continuous automated review.
AI-Powered Development
Every line of code is written and reviewed by advanced AI systems trained on security best practices. This enables consistent application of security patterns across the entire codebase, eliminating common human errors that lead to vulnerabilities.
Continuous Security Auditing
Security reviews happen continuously as part of development, not just at the end. Every code change is analyzed for potential vulnerabilities, injection risks, authentication bypasses, and data exposure before deployment.
Architectural Review
AI-driven architectural analysis ensures secure design patterns are followed throughout the application. Multi-tenant isolation, proper access controls, and data protection measures are verified at every layer.
Human Oversight
While AI handles development and initial security review, all major features undergo human review before release. Critical security decisions are approved by the development team to ensure real-world context is considered.
Recent Security Audit Highlights (January 2026)
- Client-side code review for sensitive data exposure — all Shopify access tokens sanitized
- Authentication flow hardening — mandatory MFA enforcement for all admin accounts
- Session security review — 48-hour expiry with secure cookie configuration
- API endpoint authorization — all routes verified for proper access control
- Password reset security — time-limited tokens with 2-hour expiration
Data Encryption
- AES-256-CBC encryption for sensitive data at rest
- TLS 1.3 encryption for all data in transit
- SHA-256 hashing for customer email addresses
- Encrypted API tokens for all third-party integrations
Authentication Security
- Mandatory Multi-Factor Authentication (MFA) for all admin accounts
- 48-hour session expiry with automatic re-authentication
- Secure password hashing using bcrypt with salt
- OAuth 2.0 integration with Shopify for seamless, secure access
Infrastructure Security
- Serverless PostgreSQL with automated backups via Neon
- Environment isolation between development and production
- Secure secret management with encrypted environment variables
- Regular security updates and dependency patching
Access Controls
- Role-based access control with admin and member roles
- Multi-tenant data isolation at the database level
- SQL-level verification preventing cross-account access
- Invite-only registration for platform administration
Shopify Integration Security
Official Shopify Partner
Listed on the Shopify App Store with full compliance verification
HMAC Verification
All Shopify webhooks and proxy requests are cryptographically verified
Minimal Permissions
We request only the API scopes necessary for loyalty program operation
Security Practices
Secure Development Practices
All code undergoes security review. We use parameterized queries to prevent SQL injection, input validation on all endpoints, and Content Security Policy headers.
Audit Logging
Comprehensive logging of authentication events, data access, and administrative actions for security monitoring and compliance.
Token Expiration
Password reset tokens expire after 2 hours. Email verification tokens expire after 24 hours. Session tokens require re-authentication every 48 hours.
Data Backup & Recovery
Automated database backups with point-in-time recovery capabilities. Regular backup testing ensures data can be restored when needed.
Questions About Security?
We're committed to transparency about our security practices. If you have questions or concerns, our team is here to help.
Contact Security Team