Security
Shelvado handles sensitive business data — pricing strategies, brand relationships, program investments, and billing details. We take that responsibility seriously. This page describes the security controls built into the platform today.
Authentication & Access Control
Credential-based authentication with secure password hashing. Passwords are validated against strength requirements during onboarding and account setup.
Role-based permission hierarchy enforced on both the client and server side:
- Retailer roles: Admin (full access), Manager (assigned brands only), Viewer (read-only)
- CPG roles: Admin (team and billing management), Member (standard access)
Server-side enforcement on every API mutation endpoint. Permission checks are not client-side only — the server independently verifies that the authenticated user has the appropriate role and brand assignment before processing any request.
Brand-scoped access control for retailer Manager users. Managers can only view and act on submissions, approvals, and data associated with their assigned CPG brands. This is enforced at the API layer, not just the UI.
First-login onboarding flow requires new users to confirm their profile and set a strong password before accessing the platform. Accounts are created with a forced password change flag that cannot be bypassed.
Session Management
JWT-based sessions managed by our authentication framework. Session tokens are stored in HTTP-only cookies, inaccessible to client-side JavaScript.
Automatic idle timeout after 15 minutes of inactivity. Users receive a 2-minute warning modal before being signed out. Session is terminated on the server and client simultaneously.
Session invalidation on password change and sign-out.
Administrative session revocation: Retailer administrators can instantly revoke active sessions for any user in their organization. Revoked sessions are terminated on the next request — users are signed out and must re-authenticate.
Rate Limiting & Abuse Prevention
Login rate limiting: 10 attempts per 15 minutes per IP address. Exceeding this threshold temporarily blocks further login attempts from that IP.
Password reset rate limiting: forgot-password and reset-password requests are rate-limited per IP to prevent abuse.
Password reset tokens are time-limited and single-use. Expired or used tokens cannot be reused.
File Upload Security
Server-side file validation: All uploaded files are verified using binary content inspection, not just file extension or declared content type. Files that don't match allowed formats are rejected before storage. Size limits are enforced on both client and server.
Audit Trail
Comprehensive audit logging across all platform actions. Every create, update, delete, approval, and status change is recorded with:
- Timestamp
- User identity (name, email, role)
- Action performed
- Affected resource
Audit logs are accessible to Retailer Admins through a filterable interface in the platform. Logs are retained for a minimum of one year.
Data Isolation
Organization-scoped data access: CPG users can only see data belonging to their own organization. Server-side API routes filter all queries by the authenticated user's organization — a CPG user cannot access another organization's submissions, invoices, notifications, or billing information regardless of URL manipulation.
Tenant-level database isolation. Each retailer environment runs on its own dedicated database instance. There is no shared database between tenants — data is physically separated, not just filtered by access controls.
Data in Transit
All data transmitted between users and the platform is encrypted via TLS/HTTPS. This includes:
- Authentication credentials
- Platform API requests and responses
- File uploads (creative assets, program images)
- Email delivery via our email delivery provider (TLS-encrypted SMTP)
The platform is hosted on an infrastructure provider that enforces HTTPS on all connections and provides automatic SSL certificate management.
Data at Rest
Platform data is stored in a hosted database with encryption at rest for all stored data.
Uploaded files (creative assets, program images, proof-of-performance reports) are stored in a managed file storage service with server-side encryption.
Infrastructure
The platform runs on established cloud infrastructure providers for application hosting, database, file storage, email delivery, and static site hosting. All providers are US-based or operate within US regions. Specific provider details are available upon request for customers under NDA.
Responsible Disclosure
If you discover a security vulnerability in the Shelvado platform, we ask that you report it responsibly. Please email hello@shelvado.com with details. We will acknowledge your report within 48 hours and work to resolve confirmed vulnerabilities promptly.
We ask that you:
- Not access or modify data belonging to other users
- Not publicly disclose the vulnerability before we have had a reasonable opportunity to address it
- Provide sufficient detail for us to reproduce and understand the issue
Contact
For security questions or concerns, contact us at: