Trust, by design
Datora handles your store's catalog, customer-facing copy and Shopify tokens. Here's exactly how we protect them.
All merchant data is stored in EU data centers. Backups are encrypted and never leave the region.
TLS 1.2+ in transit, AES-256 at rest. Shopify access tokens are encrypted with envelope encryption before they touch the database.
Role-based access control with owner / admin / member tiers. Master operators use a separate identity surface and SSO.
Every privileged action – auth, settings, billing, AI provider changes – is recorded in an immutable audit log you can export.
Postgres row-level security enforces hard org boundaries on every read and write. No app-layer-only checks.
Found something? Email security@datora.app. We acknowledge within 24 hours and triage with you.
Compliance FAQ
Where is my data stored?+
Primary database and file storage live in EU regions (Frankfurt). Backups are encrypted, EU-only, and retained for 30 days.
Do you sign a DPA?+
Yes. A GDPR-compliant Data Processing Agreement is part of every paid plan and available on request for trials.
Which sub-processors do you use?+
A short, public list of sub-processors (hosting, email, AI providers) is maintained at /legal/datenschutz. We notify customers before adding any new processor.
How do you handle Shopify tokens?+
Tokens are encrypted with a per-org key derived from a KMS-managed root key. They are never logged, never returned via the API and rotatable on demand.
Can I delete my data?+
Yes. Org owners can trigger a hard delete from settings; we purge primary storage immediately and rotate backups out within 30 days.
Do you have SOC 2 / ISO 27001?+
We follow SOC 2 controls internally and our SOC 2 Type II audit is in progress. ISO 27001 is on the roadmap for 2026.
Report a vulnerability
We take responsible disclosure seriously. Send a write-up to the address below – please avoid automated scanning against production. We acknowledge within 24 hours.
security@datora.app