Analytics choice

We use PostHog analytics to understand public site usage only if you accept. Essential auth cookies still work without analytics. Read the Privacy Policy.

WeaveCycle

Shopify-first returns routing and resale recovery.

Security

A factual security posture for an early EU-first workspace.

This page describes controls that are already implemented, controls expected in production, and the limits WeaveCycle will not overclaim. Last updated May 4, 2026.

Security contact

Report a vulnerability

Send suspected vulnerabilities, exposed data, or abuse reports to founder@weavecycle.ai. Include the affected route, workspace context, reproduction steps, and potential impact when possible.

Email a security report

Production stance

WeaveCycle is built for Shopify fashion brands that need returns routing, resale recovery, and exportable workflow records. Security work focuses on authenticated workspace access, tenant scoping, verified Shopify integrations, encrypted credentials, audit trails, and EU-first infrastructure choices.

Demo mode is a local development convenience and must be disabled in production with WEAVECYCLE_DEMO_MODE=false before live customer data is processed.

Controls in place

Authentication

The web app uses Supabase-backed email magic-link sessions. Protected workspace routes require a server-side session before rendering.

Organization scoping

Core API reads and writes resolve the active organization from the authenticated request context and scope domain records by org_id.

Shopify OAuth and webhooks

Shopify install flows use OAuth state records, callback HMAC verification, and webhook HMAC verification before accepting Shopify events.

Stored secrets

Shopify access tokens are encrypted before storage. Production environments must provide WEAVECYCLE_APP_ENCRYPTION_KEY instead of using demo defaults.

Auditability

Membership, organization, integration, return routing, listing, forecast, handoff, and DPP events create audit or product event records.

Security headers

The web app sets nosniff, strict referrer policy, denied framing, restricted browser permissions, and a baseline CSP for frame, base, and object restrictions.

Infrastructure

The target production layout is Vercel for the web app, Render Frankfurt for the FastAPI service and worker, Supabase Postgres in an EU region, and PostHog EU for analytics.

Data protection

The model keeps customer PII lean for the current phase. Core tables include org_id, and Shopify tokens are encrypted before storage when a production encryption key is configured.

Limits and next hardening

We are intentionally clear about what is not done yet.

WeaveCycle is not yet SOC 2 certified.
A formal public DPA and subprocessor change process still need legal review.
The worker, migration process, and storage artifact controls are still early-stage.
Role-based controls and row-level database policies should be hardened further before broad production rollout.