Security Architecture

Your data is yours.
We can't read it. By design.

ShelfLyf uses envelope encryption with per-organisation keys to ensure that your pricing, inventory, deal terms, and PII are cryptographically isolated — even from us.

How it works

Envelope encryption with per-org keys


  Your Browser                    ShelfLyf API                      Database
  ───────────                    ────────────                      ────────

  price: 450    ──── HTTPS ────►  Authenticate (Firebase JWT)
  terms: Net 30                   │
  gstin: 29AAB...                 ▼
                                  Load org's encryption key
                                  (from cache or KMS unwrap)
                                  │
                                  ▼
                                  AES-256-GCM encrypt each field:
                                  price  → "Bx9k2mP..."
                                  terms  → "Qw7nR4j..."
                                  gstin  → "Hy3xL9v..."
                                  │
                                  ▼                               ┌────────────────────┐
                                  Prisma write ─────────────────► │ price: "Bx9k2mP…"  │
                                                                  │ terms: "Qw7nR4j…"  │
                                                                  │ gstin: "Hy3xL9v…"  │
                                  On read:                        │ (ciphertext only)   │
                                  decrypt each field              └────────────────────┘
                                  │                               │
  price: 450    ◄─── HTTPS ────  Return decrypted                │
  terms: Net 30                                                   │
  gstin: 29AAB...                                                 │
                                                                  │
  DB admin sees ─────────────────────────────────────────────────►│ "Bx9k2mP..."
  (gibberish)                                                     │ Cannot decrypt
                                                                  │ without org's key

Per-organisation encryption key

Each organisation gets a unique 256-bit Data Encryption Key (DEK) generated on signup. Org A's key cannot decrypt Org B's data. Keys are never shared.

AES-256-GCM encryption

The same algorithm used by governments and financial institutions. Each field gets a unique random initialisation vector — encrypting the same value twice produces different ciphertext.

Google Cloud KMS

Your org's DEK is itself encrypted by a Key Encryption Key (KEK) stored in Google's hardware security modules. The KEK never leaves Google's tamper-resistant hardware.

Zero-knowledge architecture

Keys are decrypted in-memory only during your request, then discarded. Database dumps, backups, and logs contain only ciphertext. ShelfLyf staff cannot read your data.

What's encrypted

Every sensitive field. No exceptions.

We classify every data field by sensitivity. Anything containing pricing, deal terms, financial data, or personally identifiable information is encrypted at the field level.

CategoryExamplesProtection
Pricing & costsMRP, manufacturer unit cost, asking price, bid price, final award priceAES-256-GCM per field
Deal termsPayment terms, delivery preference, freight responsibility, MOQAES-256-GCM per field
Financial documentsInvoice line items, tax breakdowns (CGST/SGST/IGST), totalsAES-256-GCM (entire blob)
PIIPhone numbers, WhatsApp numbers, GSTIN, addressesAES-256-GCM per field
Negotiation dataCounter-offer prices, proposed terms, negotiation notesAES-256-GCM per field

Defence in depth

Encryption is one layer. Here are the rest.

Authentication

  • Firebase Auth with server-side JWT signature verification on every request
  • Role-based access control: org_admin, liquidation_manager, finance_approver, viewer, and more
  • Brute-force protection: 10 login attempts per minute, then lockout

Data isolation

  • Every database query is scoped to the authenticated org — no cross-org data leakage
  • Platform administrators see aggregate metrics only, never raw manufacturer data
  • API keys are tied to a single organisation and can be revoked instantly

Audit trail

  • Every action is logged: who did what, when, from where (IP + user agent)
  • Sensitive field changes are logged as "[REDACTED]" — we record that pricing changed, not the values
  • Audit logs are exportable for your compliance team

Input validation

  • Every API request is validated against strict Zod schemas — type-safe at the boundary
  • SQL injection prevention via Prisma ORM (parameterised queries)
  • Rate limiting: 100 requests/minute per user, 1,000/minute per organisation

Data control

  • Cryptographic erasure: when you leave, we destroy your encryption key — your data becomes permanently unrecoverable
  • Data export: download all your organisation's data at any time
  • HTTPS everywhere: TLS 1.3 in transit, encrypted at rest in Google Cloud infrastructure

Infrastructure

Built on Google Cloud Platform

Cloud Run

Stateless compute with automatic scaling. No persistent server state.

Cloud KMS

Hardware security modules for key encryption. FIPS 140-2 Level 3 validated.

Neon PostgreSQL

Serverless Postgres with connection pooling and automatic backups.

Firebase Auth

Managed authentication with server-side token verification.

Redis (Upstash)

Rate limiting and session caching. No sensitive data stored.

Cloud Build

Automated CI/CD with Workload Identity Federation — no static credentials.

Questions about our security?

We're happy to walk through our architecture with your security team. Reach out and we'll schedule a call.