Security

• All traffic over TLS 1.2+.
• Database at rest encrypted by Supabase (AES-256).
• Backups encrypted.
• Passwords hashed with bcrypt via Supabase Auth — we never see plaintext.

• Every data row carries a business_id. Row-Level Security policies on Postgres enforce that no user can read or write data outside their business — verified at the database, not just the application layer.
• Service-role keys are only used in server-side code that has already authenticated and authorized the caller.

• Every sale, payment, inventory move is recorded as an immutable event in an append-only log. Projections (inventory, credit) are derived from events via database triggers.
• Every event carries an idempotency key — duplicate submissions are deduplicated server-side. A flaky network can't create double sales.

• The agent PWA writes transactions to a local IndexedDB outbox before attempting to sync — your data is durable from the moment of capture.
• Background sync resumes automatically when connectivity returns. No user action required. No data loss on a flat-tyre cell-tower day.

Subscription payments are processed by Dodo Payments. We never see your card number — only a Dodo customer ID. Webhook events are verified via signed standardwebhooks signatures before we update your subscription state.

• Three roles: owner, admin, agent.
• Owners can promote/demote admins. Admins can invite agents. Agents cannot see admin-only data even if they guess the URL — the database enforces it.

Found a vulnerability? Email security@traxales.app. We acknowledge within 48 hours and never threaten legitimate researchers.