Security, storage, and deletion posture

Encryption

GhostSync stores platform data on AWS-managed infrastructure with encryption at rest.

Traffic between GhostSync, Shopify, and supported providers uses TLS in transit.

Credential handling

Shopify access tokens are stored through GhostSync's approved encryption flow and are never exposed back through the UI.

Untrusted input posture

Supplier files are treated as untrusted input and validated before parsing or execution.

Storage and retention

• Raw uploads: Deleted after 24 hours.
• Merchant data: Core merchant records are retained until a verified deletion request is processed. Some billing, support, security, audit, and provider-side records may follow separate retention rules.
• Account deletion: The current deletion flow removes core merchant records immediately, but some supporting, provider-side, finance, support, and log records may follow separate retention or manual cleanup workflows.
• CloudWatch logs: CloudWatch logs retain for 30 days.

Incident and support readiness

GhostSync publishes live incident communication on the status page and currently targets acknowledging critical incidents within Within 1 business day.

Merchant support and sales requests currently target a first response within Within 2 business days.

These are founder-led response targets, not a contractual SLA.