LinkNest CommerceLinkNest Commerce

Run your business

OrdersInventoryShipping & LogisticsFulfillmentCampaignsForecastingAnalyticsIntegration Library
PricingDemo / AuditCompanyContact
Sign inBook demo

Trust

Draft

Compliance & Security

Last updated: May 2026Version: compliance-security-may-2026-draft

Security and privacy are foundational to how we design, operate, and improve the Service. This page describes the controls we have today and the ones we are working toward. We will update it as our program matures.

Draft for review. This page is being finalized by counsel before public launch and is not yet a binding statement of LinkNestCommerce's legal position.

Our security philosophy

  • Least access by default. Roles, tenant boundaries, and authentication checks are designed before features, not after.
  • Data minimization. We ingest only the data the Service needs to operate the features the merchant has enabled.
  • Tenant isolation. Merchant data stays inside the merchant's tenant. Cross-tenant access is restricted to narrowly scoped operational roles and is logged.
  • Transparency over marketing. We aim to use industry-standard safeguards and to say plainly what we do and do not have in place today.

Data handling

  • Personal information is processed in accordance with the Privacy Policy.
  • Shopify Protected Customer Data is processed only to provide Service features to the connected merchant.
  • Customer Data is encrypted in transit using TLS. Where supported by our infrastructure, data at rest is encrypted using industry-standard mechanisms provided by [Hosting Provider] and our managed database providers.
  • Secrets and integration tokens (such as Shopify access tokens) are encrypted at the application layer and access is restricted to the systems that need them.
  • PII masking is applied at the render boundary in merchant portals. Sensitive fields are revealed only to users whose role explicitly grants access.

Access control

  • Authentication is account-based with password complexity requirements. Multi-factor authentication is available where supported.
  • Internal access to production systems is restricted to a small number of authorized personnel, granted on a least-privilege basis, and logged.
  • Background checks, confidentiality agreements, and security training are applied to personnel with access to customer data, in accordance with applicable law.

Monitoring, logging, and incident response

  • We collect operational logs from our applications, infrastructure, and integrations to support availability, security, and abuse detection. Log retention is set on a defined schedule.
  • We have a written incident response process. In the event of a security incident affecting personal information, we will follow the breach notification procedures described in the Privacy Policy and notify affected merchants and regulators as required.
  • Security and privacy concerns can be reported confidentially to [Security Email].

Vendor and sub-processor review

Before engaging a sub-processor, we review their security and privacy posture proportionate to the data they will handle. Our current categories of sub-processors include:

  • Hosting infrastructure: [Hosting Provider]
  • Managed database: dedicated managed database provider
  • Analytics: [Analytics Provider]
  • Logging and monitoring: dedicated observability provider
  • Transactional email: [Email Provider]
  • Payments: Stripe and other payment processors

A list of named sub-processors is available on request from [Privacy Email].

Resilience and continuity

  • Cloud infrastructure with managed redundancy and automated backups.
  • Backups are encrypted and rotated on a defined schedule.
  • Recovery processes are tested periodically.

We do not currently publish a contractual uptime guarantee. Service availability targets are described in any separately signed service level agreement.

What we are not claiming today

We believe in being honest about where our compliance program is. As of May 2026:

  • LNC is not currently certified under SOC 2, ISO/IEC 27001, PCI DSS, HIPAA, or HITRUST.
  • LNC is not currently a HIPAA Business Associate and the Service should not be used to store Protected Health Information.
  • LNC is not certified to process cardholder data — payments are processed by Stripe and other payment processors, which is a PCI-compliant service provider.

These are on our roadmap to be evaluated and pursued as the business scales. We will update this page when the position changes.

Working with regulated and enterprise buyers

For enterprise procurement, security reviews, and questionnaires, please contact [Security Email]. We can provide a current sub-processor list, a security and privacy questionnaire response, and a Data Processing Addendum-style addendum for review.

Responsible disclosure

If you believe you have found a security vulnerability in the Service, please contact [Security Email]. We ask researchers to act in good faith, avoid privacy violations and service disruption, and give us reasonable time to remediate before public disclosure. We will not pursue legal action against researchers who follow this process.