Products Pricing About Contact

Security at CPG Labs

We keep your data always safe. Here is how we do it.

Encryption at Rest

All data stored in our databases is encrypted using AES-256 encryption, the industry standard for data protection. Our PostgreSQL databases are hosted on AWS RDS with encryption enabled at the storage layer, ensuring that your store data, delivery routes, analytics, and configuration are protected even at rest.

Encryption in Transit

Every connection to and from Omnify is encrypted using TLS 1.2 or later. This includes communication between your browser and our servers, between our application and Shopify's APIs, between our services and Google Maps Platform, and between our infrastructure and carrier service providers. No data travels unencrypted.

Access Controls

We enforce role-based access control (RBAC) with the principle of least privilege across our entire infrastructure. Production systems require multi-factor authentication (MFA) for access. Secrets and API keys are stored in AWS SSM Parameter Store, never in code repositories, and are rotated regularly.

Infrastructure

Omnify runs on AWS ECS Fargate in the us-east-1 region, inside a Virtual Private Cloud (VPC) with private subnets. Our containers are serverless and ephemeral, reducing the attack surface. Application load balancers handle TLS termination, and all network traffic is restricted to only the ports and protocols required for operation.

Data Handling

CPG Labs does not sell, rent, or trade your data under any circumstances. Your data is processed exclusively to power the features you use within the Omnify platform. We access only the Shopify scopes you approve during installation, and we comply with the Google API Services User Data Policy, including its Limited Use requirements.

Vulnerability Disclosure

We take security reports seriously. If you discover a potential security vulnerability in the Omnify platform, please report it responsibly to security@cpg-labs.io. We will acknowledge your report within 48 hours and work with you to understand and address the issue. We request that you do not publicly disclose the vulnerability until we have had an opportunity to investigate and remediate it.

Omnify is compliant with the Google API Services User Data Policy.