Security
Cassian™ handles sensitive store data every day. We take that seriously. Here's exactly how we protect your information, who has access, and what our commitments are.
Data protection
Infrastructure
Hosted on a global edge network with automatic HTTPS, DDoS protection, and CDN. Requests are served from the nearest edge location worldwide, including Europe.
Managed PostgreSQL with row-level security (RLS) enforced at the database layer. Every query is scoped to the authenticated user’s organisation. Hosted in the United States. EU region on the roadmap.
Screenshots and reports stored on encrypted object storage. Encrypted at rest, served via global CDN with signed URLs.
Cassian Shield™
Cassian Shield™ runs enterprise-grade passive vulnerability scanning against your storefront. Results are translated into plain English with severity classification — no security expertise required.
Cross-site scripting (XSS) detection
Missing security headers
Cookie misconfiguration
Clickjacking vulnerabilities
Content Security Policy analysis
Available on all paid tiers
Encryption & access control
All data in transit is encrypted with TLS 1.3. Every connection to Cassian — from browser to API to platform connector — is encrypted end-to-end. We enforce HTTPS everywhere with HSTS preload.
All data at rest is encrypted with AES-256. Database volumes, file storage, and backups are all encrypted. Encryption keys are managed by our infrastructure providers and rotated automatically.
Database queries are scoped to the authenticated user's organisation via row-level security (RLS). Internal team access follows least-privilege principles with audit logging on all data access.
Passwordless authentication via one-time codes. No passwords to steal, no credentials to leak. SSO (SAML) for Enterprise customers is on the roadmap.
AI & LLM data handling
Cassian AI™ uses commercial LLM APIs for content analysis, translation quality scoring, and issue detection. All interactions happen via commercial API endpoints with enterprise-grade data handling agreements.
Our AI providers do not train on data submitted via their commercial APIs.
All data processing is transient — page content is sent for analysis and discarded after scoring.
We do not store raw prompts or responses beyond the structured results (scores, issues, suggestions).
No customer data is shared with third parties for advertising, profiling, or any purpose beyond the analysis you authorised.
GDPR
Cassian is designed for global ecommerce. Many of our customers operate in the EU and UK, and we treat GDPR compliance as a baseline requirement, not an add-on.
Data currently hosted in US East. EU region on the roadmap for EU/UK customers.
DPA available on request for all paying customers.
Close your account and all data is deleted within 30 days.
We implement all mandatory platform GDPR webhooks including customer data requests, customer redaction, and shop redaction.
Compliance
Full GDPR compliance via Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs). Data Processing Agreement (DPA) available on request. Right to erasure via account closure — all data deleted within 30 days. EU data residency on the roadmap.
If you've found a security vulnerability in Cassian, we want to hear about it. We take all reports seriously and will respond within 24 hours. Please do not disclose vulnerabilities publicly before we've had a chance to address them.
security@getcassian.com
For more detail on how we handle your data, refer to these documents.
We use cookies to keep you signed in and improve your experience. See our Cookie Policy for details.