Security

How we keep your data safe.

ShopTopia stores sensitive information: your store, your customers, and your transaction history. This page explains the technical and organizational controls we apply, in plain language you can judge yourself.

Technical practices

Eight core protection layers

Encryption in transit and at rest

All traffic between browser, ShopTopia servers, and third-party APIs is TLS 1.2+. Data at rest is AES-256 encrypted by our infrastructure providers (Supabase, Vercel).

WhatsApp OTP-based seller authentication

Sellers log in with OTP sent to a verified WhatsApp number. No passwords to leak or reuse across services.

Admin access with MFA

Internal production access is protected by multi-factor authentication. Least-privilege applies across teams, no full access for routine work.

Audit logs for significant account changes

Every key change (new-device login, WhatsApp number change, staff access change) is logged and reviewable.

Payments never touch ShopTopia servers

Online payments are handled fully by Xendit/Stripe under PCI-DSS certification. ShopTopia does not store, log, or process card numbers.

Daily backups & disaster recovery

Daily automated database backups, 30-day retention. RPO < 24h, RTO < 4h for region-level disaster scenarios.

Dependency & vulnerability monitoring

Package dependencies are auto-scanned per commit. Critical security patches applied within 48 hours of upstream release.

Environment separation: production, staging, dev

Production data is never used in staging or dev. ShopTopia staff have no direct access to your store's customer data except for support you have authorized.

Infrastructure

Providers we rely on

ShopTopia runs on providers audited to enterprise standards. Their certifications cover all data flowing through our platform.

  • SupabasePostgreSQL database, authentication, storage. SOC 2 Type II.
  • VercelFrontend hosting + edge functions. SOC 2 Type II, ISO 27001.
  • XenditPayment gateway. PCI-DSS Level 1, BI-licensed Payment System Service Provider.
  • StripeInternational payment gateway. PCI-DSS Level 1, ISO 27001.
  • WhatsApp Business APINotifications & OTP. End-to-end encryption.

Incidents

If something happens

No system is perfect. If we detect a security incident that materially affects your data, we will notify you within ≤ 3×24 hours per UU PDP Article 46, with details on what happened, which data was affected, and the steps we are taking.

  • Direct notification to email and WhatsApp of affected sellers.
  • Report to the competent Indonesian data protection authority as legally required.
  • Public post-mortem on /status after the incident is handled.

Report a security issue

Bug or vulnerability?

If you find a security issue, send it to security@shoptopia.id with technical detail. We reply within 24 hours and will not take legal action against good-faith research.

security@shoptopia.id

Run your own store,win back repeat orders from the marketplaces.

First store free foreverNo credit cardCancel anytime
Start your free store

Live today, not next weekWhatsApp support included