Harbor Commerce

Security is not a feature — it is the foundation.

Every layer of Harbor Commerce is built with defense in depth. From tenant isolation to encryption at rest, security is embedded in the architecture.

Tenant Isolation

Every record scoped by organization ID. Complete data separation between tenants.

Role-Based Access

Granular RBAC with owner, admin, member, and viewer roles on every endpoint.

Encryption

Data encrypted at rest and in transit. TLS everywhere, PostgreSQL disk encryption.

Webhook Verification

Stripe signature verification with timestamp tolerance. Idempotent processing.

Rate Limiting

Redis-backed sliding window rate limiting on all endpoints. Strict limits on auth.

Audit Logging

Immutable audit trail for all write operations with IP, user agent, and change diffs.

API Key Security

SHA-256 hashed key storage. Keys shown once at creation. Rotation without downtime.

Incident Response

Centralized logging, monitoring, and alerting. Structured error tracking with request correlation.

2FA / TOTP

Time-based one-time password authentication with backup codes. Protect accounts with a second factor.

IP Allowlisting

Restrict API access to specific IP addresses or CIDR ranges. Block unauthorized network access.

Compliance & Standards

Harbor Commerce is designed with compliance in mind across every layer of the stack.

  • SOC 2 Readiness

    Controls aligned to SOC 2 Type II trust service criteria.

  • GDPR Awareness

    Data handling practices designed with GDPR principles in mind.

  • PCI DSS (via Stripe)

    Card data never touches Harbor servers. PCI compliance handled by Stripe.

  • Data Encryption at Rest

    All persistent data encrypted using AES-256 via PostgreSQL disk encryption.

  • Structured Logging

    Every request logged with correlation IDs for traceability and audit.

Infrastructure Security

The runtime environment is hardened at every level, from the network edge to the database.

  • PostgreSQL Encryption at Rest

    Database volumes encrypted with AES-256. Backups encrypted in transit and at rest.

  • Redis with TLS

    In-memory data store secured with TLS connections and authentication.

  • Docker Containerization

    All services run in isolated containers with minimal attack surface.

  • TLS Everywhere

    All traffic encrypted in transit. HTTPS enforced on every endpoint.

  • Nginx Reverse Proxy

    Edge proxy with rate limiting, request filtering, and TLS termination.

  • Structured Logging with Correlation

    Every request tagged with a correlation ID for end-to-end traceability.