Security

How Brandclub Sync protects user data.

Credential Handling

User retailer credentials (Amazon password, etc.) are:

Encrypted client-side using AES-256-CBC before transmission
Never stored - Used once for authentication, then discarded
Transmitted over TLS 1.2+ only
Never logged or cached anywhere in our systems

Example (internal to SDK, shown for reference):

User enters password
  ↓
Encrypted in browser with AES-256
  ↓
Sent to Brandclub over HTTPS
  ↓
Used to auth with retailer
  ↓
Immediately discarded

OAuth Security

PKCE (Proof Key for Code Exchange) prevents authorization code interception
State parameter prevents CSRF attacks
Short-lived tokens - Access tokens expire in 1 hour
Token revocation supported for immediate invalidation

Data Transmission

All API communication uses:

TLS 1.2+ encryption
HTTPS only (HTTP not supported)
JWT signatures validated via JWKS
Bearer tokens in Authorization header (never in URLs)

PII Handling

What We Collect

Authentication:

Phone number (for login)
Email (optional)
Name (optional)

Orders:

Product names and prices
Order dates and totals
Retailer names

What We DON'T Collect

❌ Credit card numbers
❌ Billing addresses
❌ Shipping addresses
❌ Payment methods
❌ Social security numbers

Orders contain NO personally identifiable shipping/billing information.

Data Storage

Credentials: Not stored (discarded after use)
Tokens: Encrypted at rest in Redis
Order data: Cached with encryption
PII: Minimal, encrypted, access-controlled

Access Control

OAuth scopes limit what each client can access
Permission model enforces least-privilege
Audit logging tracks all data access (internal)

Compliance

Current Status: Work in progress

Brandclub is working toward:

SOC 2 Type II certification
GDPR compliance
CCPA compliance
PCI DSS (for payment data, if applicable)

Data Retention

Active users: Data retained while account is active
Inactive users: Data deleted after 90 days of inactivity
User requests: Data deletion available on request

Security Best Practices

For Partners

Token Storage:

// Good - httpOnly cookie
res.cookie("bc_token", token, {
  httpOnly: true,
  secure: true,
  sameSite: "strict"
});

// Bad - localStorage (XSS vulnerable)
localStorage.setItem("bc_token", token);

API Calls:

// Good - backend proxy
app.get("/api/orders", async (req, res) => {
  const token = req.session.brandclub_token; // Server-side
  const orders = await fetchFromBrandclub(token);
  res.json(orders);
});

// Acceptable - client-side (if needed)
const orders = await client.orders.list(); // SDK handles security

Incident Response

In case of security concerns:

Rotate tokens immediately via /oauth2/revoke
Monitor for unusual API activity
Review access logs

Testing Security

Sandbox environment:

Separate credentials from production
No real user data
Safe for testing error scenarios

Questions?

For security inquiries or to report vulnerabilities, see our security policy.

PreviousAuthentication NextWebhooks

Last updated 1 day ago