Security

Security at Spar is a shared responsibility between us, our infrastructure providers, and the merchants who connect their stores. Our job is to scope every read and write to a single team, encrypt data in transit and at rest, require human review before changes ship to a live storefront, and monitor the system for unexpected behavior. Our infrastructure providers operate the physical infrastructure, the network, and their own platform controls. Merchants are responsible for managing their team membership, rotating compromised credentials, and approving the scopes they grant to us.

The sections below describe what we actually do today. We describe our current controls as accurately as possible and do not claim certifications we do not hold.

All traffic to Spar is served over TLS. Data at rest in our database, cache, and object storage is encrypted by the managed services that host it. Production secrets are stored in provider-managed secret stores and never committed to source control.

Our database supports soft deletion across most application models, with hard deletion for records that affect authentication so that revoking access actually revokes access. Backups and point-in-time recovery are provided by our managed database service within its retention window.

Errors and traces forwarded to our monitoring tools have request bodies, headers, and cookies redacted by default for sensitive fields such as tokens, passwords, API keys, and session identifiers. Session replay tooling masks form inputs.

Billing runs through Stripe Checkout and the Stripe Billing Customer Portal. Card numbers, expiry, and CVCs are entered directly into Stripe-hosted surfaces and never touch our servers. We store Stripe customer, subscription, and invoice identifiers only.

Spar supports email-and-password and Google OAuth sign-in. Passwords are hashed; plaintext values never reach our database. Authentication and other sensitive routes are rate-limited using IP- and account-based controls.

Every authenticated user belongs to one or more teams. Every server action and read query runs through a single authorization layer that resolves the current team, verifies the user has membership, and computes a permission set from the user's role and the team's plan. Attempting to access a team or store the user is not a member of returns a hard error.

Merchant integrations such as Shopify and Google Analytics are authorized through OAuth with scopes the merchant approves. Tokens are stored in systems encrypted at rest. Inbound webhooks from Shopify and Stripe are signature-verified before any payload is processed.

Cuped internal access to tenant data for support and abuse investigations is restricted to authorized personnel and logged.

Spar runs on reputable cloud infrastructure providers covering application hosting, managed databases, object storage, edge workers, and payment infrastructure. We rely on those providers for physical security, network controls, encryption, backup, and platform hardening, and we configure them with least privilege. A current vendor list is available on request.

Data may reside in Canada, the United States, the European Union, or other jurisdictions where our subprocessors operate, as described in our Privacy Policy.

Every server action and public route handler validates its input against a schema before reaching application logic. Database access uses a parameterized query layer. We escape interpolated values by default and avoid rendering unsanitized user- or LLM-supplied content as HTML.

Server-side fetches used for storefront preview and proxying are scoped and validated against authorized merchant domains. We continue to harden our preview and proxy systems against server-side request forgery and related risks.

Dependency updates are reviewed continuously through automated pull requests, and security advisories are enabled on our source repositories. Changes ship through pull requests and continuous integration; production deploys use immutable artifacts.

Spar uses commercial large language models to draft audits, hypotheses, A/B test ideas, and code variations. We use commercial and API model providers and configure available controls to prevent use of Customer Data for training general-purpose models where provider terms and controls support that restriction.

AI prompts and responses may be traced for debugging, quality review, abuse prevention, and incident investigation. These traces may be reviewed by authorized Cuped personnel for those purposes.

Every AI output that a merchant might act on is presented for human review before it ships to a storefront. Generated findings appear in a triage queue; generated variations are previewed in our editor and ship through the merchant's chosen experimentation surface (Shopify theme blocks, Intelligems, Convert, GrowthBook). Spar does not autonomously publish changes to a live storefront without a merchant action.

Merchants are responsible for monitoring active tests and variations and disabling, pausing, or rolling back any variation that causes errors, degraded performance, incorrect pricing, misleading claims, or other unintended behavior. See our Terms of Service for the full responsibility model.

We instrument the web app, the API, and our edge workers with error tracking, performance traces, and product analytics. High-priority errors and unhandled exceptions are routed to the engineering team.

We investigate reported or suspected security incidents promptly and notify affected customers and regulators where required by applicable law. If we learn of an incident that affects your data, we will notify affected merchants by email to the address on file for the team.

9.1 SOC 2 and ISO 27001

Spar is not currently certified under SOC 2 or ISO 27001. We follow practices that we expect will line up with the relevant control families and we plan to pursue a formal SOC 2 report when our customer base and the requests we receive justify the engagement. We will publish certification status here when it changes.

9.2 PCI DSS

We do not directly store or process cardholder data. Payment collection is handled by Stripe Checkout and the Stripe Billing Customer Portal, which are PCI DSS Level 1 certified. Our PCI exposure is limited to maintaining our Stripe integration.

9.3 PIPEDA and provincial privacy law

As a Canadian company, we are accountable under the Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level and applicable provincial private sector privacy laws, including Quebec Law 25, Alberta PIPA, and British Columbia PIPA. Our designated Privacy Officer is reachable at privacy@cuped.ai.

9.4 GDPR and UK GDPR

For merchants and end shoppers based in the EEA or UK, our controller and processor roles, data subject rights, legal bases, and international transfer safeguards are covered in our Privacy Policy.

9.5 Shopify Protected Customer Data

Where our Shopify app accesses protected customer data, we handle that data according to Shopify's applicable app requirements and our Privacy Policy.

If you believe you have found a security vulnerability in Spar, please report it to security@cuped.ai. Include a clear description of the issue, the affected URL or endpoint, the impact you observed, and reproduction steps. We aim to acknowledge security reports within one business day. We do not currently operate a paid bug bounty program; we acknowledge confirmed reports publicly with the reporter's permission.

While we triage your report we ask that you do not access, modify, or exfiltrate data that does not belong to you, do not run automated scanning that degrades service for merchants, do not disclose the issue publicly before we have had a reasonable opportunity to fix it, and do not engage in social engineering against our employees or contractors. We do not intend to pursue legal action against researchers who report vulnerabilities in good faith and within those limits.

Security reports and questions about this page should go to security@cuped.ai. General questions can go to founders@cuped.ai.