Security
Last updated: 22 June 2026
Security is central to how we build Kuruvi. This page explains the measures we take to protect your data, how we respond to security incidents, and how to report a vulnerability.
1. How we protect your data
- Encryption in transit: all traffic to and from Kuruvi is protected with TLS.
- Encryption at rest: data is encrypted at rest using AES-256 (Google Cloud / Firestore default encryption). Sensitive platform credentials are additionally protected with Google Cloud KMS.
- Authentication: all API calls are authenticated. Privileged operations run through Cloud Functions that verify the caller's identity.
- Firebase Security Rules: Firestore and Storage rules enforce per-merchant data isolation and prevent unauthorized access โ a user can only reach their own (or their team's) data.
- App integrity: Firebase App Check (reCAPTCHA on web, Play Integrity / Device Check on mobile) helps ensure requests come from genuine instances of the app.
- Rate limiting & abuse prevention: rate limits and quotas guard sensitive and costly endpoints.
- Suspicious-activity monitoring: we monitor logs and usage for anomalous or suspicious activity and alert on it.
- Least-privilege access & audit logging: internal access follows the principle of least privilege, and access to systems is logged.
2. Security incident response
We maintain a documented incident-response process so that, in the event of a security incident, we act quickly and transparently.
- Detection & triage: when a potential incident is detected (through monitoring, alerts, or a report), we triage it and begin an initial assessment within 24 hours.
- Containment: we move to contain the issue โ for example revoking credentials, isolating affected systems, or disabling affected functionality.
- Investigation: we determine the scope, root cause, and what data (if any) was affected.
- Notification: if a personal-data breach affects you, we notify affected users and the relevant supervisory authority within 72 hours of becoming aware, in line with Article 33 GDPR. For Shopify-related incidents we also notify Shopify as required.
- Remediation: we fix the root cause and apply safeguards to prevent recurrence.
3. Report a security issue
If you believe you've found a security vulnerability or have a security concern, please contact us at security@kuruvi.com. We aim to acknowledge security reports within 24 hours. Please include enough detail to reproduce the issue, and give us a reasonable opportunity to address it before public disclosure.
4. Related
See our Privacy Policy for how we collect, use, and retain data, and our Data Deletion page to request deletion of your data.