Security
Last updated: May 25, 2026
Auraflow processes behavioural data on behalf of Shopify merchants. This page describes the technical and organisational controls in place today and the standards we align with. For the formal legal layer, see our Privacy Policy, Data Processing Agreement, Sub-Processor List, and Personal Data Breach Response Procedure.
A detailed security whitepaper is available to prospective customers and security teams under a mutual NDA. Email support@kosmatic.com to request a copy.
1. Data minimisation
We collect only what is operationally necessary, and prefer on-device derivation over server-side ingestion wherever the visitor's browser supports it.
Raw behavioural signals are normalised and classified into archetype probabilities inside the visitor's browser. Only the derived archetype scores and confidence values cross the trust boundary onto our servers — the underlying observations themselves never leave the device.
Visitor identity is scoped per merchant. A shopper visiting two different storefronts that both use Auraflow generates two independent visitor identifiers; we do not correlate behaviour across merchants and we operate no cross-store visitor graph. The tracker does not use device fingerprinting; identity within a single merchant is established by a first-party cookie scoped to that merchant's domain.
Signal collection is session-scoped. When the shopper closes the tab or ends the session, the tracker stops recording. A returning visitor resumes a new session against the same first-party identifier; the previous session's raw signals are not retained, only the derived archetype state required to continue the personalisation experience.
We do not collect:
- Payment card details — these are processed by Shopify and Stripe and never traverse our infrastructure
- Storefront visitor IP addresses (see paragraph below)
- Any storefront data the merchant has not explicitly authorised us to receive via Shopify's permission model
Storefront visitor IP addresses are not stored. IPs are visible to our infrastructure at the transport layer — an unavoidable artefact of every HTTPS connection — and used transiently for operational integrity. They are never persisted as part of a visitor record. The only IP-derived data retained in a visitor profile is a coarsened country/region code; the raw IP is dropped once the geo lookup completes.
Email addresses and other identifiers are received only when a shopper voluntarily provides them (for example, a discount opt-in or cart-recovery flow) and are encrypted at rest immediately upon receipt.
2. Encryption
In transit. All connections use TLS 1.2 or higher with modern ciphersuites. Strict-mode certificate validation is enforced end-to-end. HSTS is enabled with includeSubDomains and preload.
At rest. Sensitive fields are encrypted with AES-256-GCM using authenticated encryption. Storage-layer encryption is provided by our managed Postgres host; application-layer encryption is layered on top for sensitive material so a compromised backup does not yield readable data.
Keys. The application encryption key is held in the hosting provider's secret manager. It is never logged, never serialised to disk, and never transmitted off the running process. Key rotation procedures are documented internally.
Passwords. Argon2id with parameters meeting current OWASP recommendations. Passwords are never stored in any form that can be reversed; verification compares hashes only.
3. Tenant isolation
Auraflow is multi-tenant by design. Isolation between merchants is enforced at multiple independent layers, including row-level security at the database. The redundancy is intentional: a query that omitted its application-layer tenant filter would still be refused at the database layer.
Per Shopify's app-platform requirements, machine-learning calibration is tenant-scoped. We maintain no pooled cross-merchant training dataset and no model that learns from one merchant and serves predictions to another. The shared component across merchants is the published archetype taxonomy itself, derived from behavioural-economics literature.
4. Access controls
4.1 Operator console
Access to the Auraflow operator console requires multi-factor authentication including hardware-backed and device-bound credentials. All administrative actions are recorded in an audit log — timestamped, attributed, and retained.
4.2 Merchant access
Merchants sign in with email and password (Argon2id) layered with multi-factor verification by authenticator app or email-delivered one-time code. Sign-ins from unrecognised devices trigger additional verification and an email notification to the account holder. Persistent ("stay signed in") sessions are restricted to recognised devices.
5. Tracker integrity
The JavaScript files that run on every merchant's storefront are cryptographically pinned using Subresource Integrity (SHA-384). Before the browser executes the script, it verifies that the bytes received match the expected hash; a single-byte alteration causes the browser to refuse execution. Pinning extends from the Shopify app embed through to every script the tracker loads dynamically.
This is the standard defence against third-party JavaScript supply-chain compromise. We enforce it across every link in the delivery chain.
6. AI security and governance
Auraflow's workflow intelligence runs on large language models that the merchant connects via their own API key. Auraflow operates no proprietary LLM; we orchestrate calls to the merchant's chosen provider and apply our safety and governance controls around those calls.
The behavioural classification engine that processes storefront signals is a separate, in-house system — not a language model, and it does not transmit storefront data to any third-party AI service.
Our AI governance is built on four principles:
- Identifiers are redacted from the AI's analytical surface; the model reasons over behavioural patterns, not identity.
- High-impact actions require explicit human approval in-app before execution; the merchant remains in control of outbound communications and configuration changes.
- The model operates within bounded capabilities — a defined tool surface, merchant-controlled cost limits, and exclusion from privacy and configuration settings.
- Every AI action is logged with audit-grade detail; persisted records exclude directly identifying fields.
Implementation detail and threat-class coverage are available to security teams under NDA.
7. Infrastructure
Auraflow is hosted on Render's managed infrastructure. Render holds SOC 2 Type II certification. The service is protected by Cloudflare at the edge.
8. Logging and monitoring
Comprehensive audit logs cover administrative actions, authentication events, webhook deliveries, and integration calls. These logs are reviewed regularly as part of operational hygiene. Anomalies are monitored against established baselines.
9. Compliance and standards
Auraflow's design and operation address requirements under:
- GDPR (EU 2016/679) and UK GDPR
- CCPA / CPRA (California)
- PIPEDA (Canada)
Our AI security model is aligned with:
- OWASP LLM Top 10 (2025 edition)
- OWASP Agentic AI Security Initiative (2025)
- Model Context Protocol Specification (2025-06-18)
- NIST AI Risk Management Framework
We support standard data subject requests — access, portability, erasure, restriction — within statutory timelines. The full procedure is described in our Privacy Policy and our Personal Data Breach Response Procedure. Our Sub-Processor List catalogues every third party that may process personal data on our behalf, including transfer mechanisms and data categories.
Auraflow is currently under review against Shopify's Built for Shopify standards, which include independent security and performance requirements beyond standard app marketplace minimums.
Certifications — honest posture
We deliberately distinguish "aligned with" from "certified". SOC 2 Type II is targeted for the post-launch window and we do not represent ourselves as SOC 2 certified until that audit completes. ISO 27001 is on the roadmap, timing dependent on enterprise customer demand. We use language such as "SOC 2 ready" rather than "SOC 2 compliant" until the difference is closed by an external audit firm.
10. Reporting a security concern
If you believe you have found a security vulnerability affecting Auraflow, please contact support@kosmatic.com. We acknowledge reports within two business days and keep reporters informed of remediation progress.
For automated scanners and security researchers, machine-readable contact information conforming to RFC 9116 is published at /.well-known/security.txt.
What's not done yet
Security is a discipline practised continuously, and the measure of seriousness is how willingly an organisation discusses what is not yet finished. As of today:
- External penetration testing by a recognised firm is planned for the post-launch window
- Append-only audit log evolution is on the roadmap, complementing the comprehensive log already in place
- A public vulnerability disclosure programme will follow once the platform has reached a stable post-launch operating cadence
The full internal audit history is maintained internally and is available to enterprise buyers under NDA on request.
The controls described above are deployed and continuously verified. We document them not to display the work but to let anyone evaluating Auraflow make an informed decision about whether our stewardship of their data meets their standards.