Security

Our approach

CARTT.AI is a multi-tenant platform handling commerce data — orders, customers, payment integrations, accounting connections, inventory feeds. Security is built into the architecture rather than bolted on. This page describes the controls in place and how to report a vulnerability.

Hosting and data residency

• Australian-hosted infrastructure. Tenant data is stored in Australia.
• Per-tenant database isolation — each tenant has its own MariaDB database; cross-tenant access is impossible at the query level.
• CageFS-based per-user process isolation on shared hosts — one tenant's PHP processes cannot read another tenant's files.
• Regular automated backups with off-site retention.

Encryption

• In transit — TLS 1.2+ for all HTTP traffic. HTTP requests are upgraded to HTTPS.
• Credentials — user passwords stored as Bcrypt/Argon2 hashes; never stored or logged in plaintext.
• Third-party API credentials — encrypted at rest with Laravel's encrypted:array cast.
• Webhook signatures — HMAC-SHA256 verification on all inbound webhooks from EDI brokers, payment processors, POS, and inventory systems.

Application controls

• CSRF protection on every state-changing form.
• SQL injection prevention via parameterised queries (Eloquent ORM).
• Output encoding for XSS prevention.
• Per-route rate limiting for sensitive endpoints (login, contact form, public APIs).
• Admin panel IP whitelisting available per tenant.
• Role-based access control with fine-grained permissions across the admin.
• Audit logs for sensitive admin actions.

AI provider isolation

AI processing (Anthropic Claude, OpenAI, ElevenLabs, HeyGen, Black Forest Labs, Google Gemini) goes through provider APIs under contract terms that prohibit training their general models on tenant content. Tenant API keys to AI providers (where used) are encrypted at rest.

Payment and PCI

CARTT.AI does not store credit card numbers. Payments are tokenised through the connected processor (eWAY, PayPal, Afterpay, Zip, Stripe). PCI scope is reduced to the redirected/tokenised forms supplied by the processor.

Incident response

If we become aware of a security incident affecting personal information, we follow Australia's Notifiable Data Breaches scheme: we assess the breach, notify affected tenants and individuals where likely serious harm is identified, and report to the Office of the Australian Information Commissioner.

Responsible disclosure

If you believe you've found a security vulnerability in CARTT.AI, we'd like to hear from you. Please report it to security@cartt.ai.

We commit to:

• Acknowledging your report within 3 business days.
• Providing a status update within 14 days.
• Crediting you in our changelog (with your permission) once the issue is fixed.

We ask that you:

• Give us reasonable time to investigate and remediate before public disclosure.
• Avoid accessing, modifying or destroying data that isn't your own.
• Avoid actions that could degrade service for other tenants.
• Avoid social-engineering attacks against our staff or customers.

We do not currently run a paid bug bounty programme.

Contact

security@cartt.ai for security reports. For general privacy questions, see our Privacy Policy.