Data Security Practices
MerchantFlow data security practices including 2FA authentication, AES-256 encryption, session management, tenant isolation, and OAuth token security.
Data Security
Effective Date: December 27, 2025
MerchantFlow data security encompasses the technical and organizational measures that protect your business data, integration credentials, and account information. At MerchantFlow Pty Ltd, we implement industry-standard encryption, authentication, session management, and access controls to ensure your data remains private and secure.
Authentication Security
Two-Factor Authentication (2FA)
MerchantFlow uses Better Auth for authentication with support for two-factor authentication (2FA).
2FA features:
- TOTP-based (Time-based One-Time Password) authentication
- Compatible with authenticator apps such as Google Authenticator, Authy, and 1Password
- Recommended for all accounts, especially account owners and administrators
- Can be enabled in Settings > Profile > Security
Password Security
MerchantFlow enforces strict password validation requirements:
- Minimum 8 characters in length
- Must contain at least one uppercase letter, one lowercase letter, one digit, and one special character
- All passwords are securely hashed and salted before storage
- Plaintext passwords are never stored or logged
For password management, see Password Reset.
Session Security
MerchantFlow implements comprehensive session management to protect your account:
| Setting | Value | Description |
|---|---|---|
| Session expiry | 12 hours | Sessions automatically expire after 12 hours of inactivity |
| Update age | 1 hour | Session tokens are refreshed every hour |
| Cookie cache | 5 minutes | Cookie validation is cached for 5 minutes for performance |
Additional session protections:
- Secure, HTTP-only session cookies
- Session tokens are invalidated on password change
- Active sessions can be viewed and revoked in Settings > Profile > Security
- "Log Out All Devices" option available for emergency access revocation
Tenant Isolation
MerchantFlow keeps each account's data strictly isolated through tenant isolation:
- Each tenant's data is logically separated and cannot be accessed by other tenants
- Your data is only accessible to your account and authorized team members
- Cross-tenant data access is architecturally prevented
- Team members within a tenant share access based on their assigned roles
OAuth and Integration Security
Encrypted Tokens
All OAuth tokens for connected integrations are encrypted at rest. Integration credentials are stored securely and never exposed in logs or API responses.
No Password Storage for Integrations
MerchantFlow uses OAuth 2.0 only for third-party integrations. We never ask for or store passwords for services such as Google, Shopify, WooCommerce, or Meta.
Read-Only Access
MerchantFlow requests read-only access to your integrations wherever possible:
- Google Ads - read-only access to campaign and performance data
- Google Analytics 4 - read-only access to traffic and conversion data
- Google Search Console - read-only access to search performance data
- Google Merchant Center - read-only access to product feed data
- Shopify - read-only access to orders and product data
- WooCommerce - read-only access to orders and product data
- Meta Ads - read-only access to campaign performance data
We never modify your data, create campaigns, or make changes to your connected platforms.
Token Revocation
You can revoke integration access at any time:
- Go to Settings > Integrations
- Click "Disconnect" on the integration
- OAuth tokens are immediately deleted
- You can also revoke access from the third-party platform directly
Payment Security
All payment processing is handled by Stripe, which is PCI DSS compliant:
- MerchantFlow never sees or stores your credit card numbers
- Payment data is transmitted directly to Stripe over encrypted connections
- Stripe handles all payment card validation and fraud detection
Encryption Standards
Encryption in Transit
- All data transmitted over HTTPS/TLS (TLS 1.2 or higher enforced)
- Insecure connections are rejected
Encryption at Rest
- Database data encrypted at rest using AES-256
- OAuth tokens encrypted with dedicated encryption keys
- Backups are encrypted
Data Retention and Purge
MerchantFlow implements automatic data retention policies:
- Data types such as audit logs, sync logs, analytics snapshots, and integration logs are subject to configurable retention periods
- Expired data is automatically and permanently purged
- Retention periods balance operational needs with data minimization principles
For full retention details, see GDPR Compliance.
Account Deletion
When you delete your account:
- All personal data is removed
- Integration tokens are revoked and deleted
- Synced data is permanently purged
- Backups are removed within 90 days
Security Best Practices for Users
- Enable 2FA on your MerchantFlow account
- Use a strong, unique password that meets the requirements above
- Do not share your account credentials
- Review active sessions regularly and revoke any you do not recognize
- Keep your email secure as it is used for account recovery
- Disconnect unused integrations to minimize your data footprint
- Report suspicious activity immediately to [email protected]
Reporting Security Issues
If you discover a security vulnerability or have concerns about data security:
- Email: [email protected]
- Subject: Security Issue
- Responsible disclosure is appreciated
- We acknowledge receipt within 24 hours
Frequently Asked Questions
Does MerchantFlow store my credit card information?
No. All payment processing is handled by Stripe (PCI DSS compliant). MerchantFlow never sees, processes, or stores payment card numbers.
Can other MerchantFlow users see my data?
No. MerchantFlow uses tenant isolation to architecturally prevent cross-account data access. Your data is only visible to your workspace team members based on their assigned roles.
What happens to my data if MerchantFlow experiences a security breach?
In the event of a breach, MerchantFlow follows its incident response plan: immediate investigation, notification to affected users within 72 hours (GDPR requirement), remediation, and post-incident review.
Is my data backed up?
Yes. Data is backed up with encryption. Backups are stored across multiple AWS regions and are removed within 90 days of account deletion.
Related Resources
Last updated: March 14, 2026