Executive summary
KAK Edge is a managed SaaS that analyses Shopify storefront activity and pushes optimization signals to Meta. We run a dedicated, isolated database and dashboard for every merchant. No two merchants share infrastructure. PII is hashed before any external transmission. On cancellation we permanently delete everything within 30 days and issue a cryptographic deletion certificate.
Compliance stance
- GDPR (EU / UK) — we act as a processor for our merchants; they are the controller. Our Data Processing Addendum is available at /dpa.html. We implement Article 28 requirements, maintain a sub-processor list, and support all data-subject rights (access, rectification, erasure, portability, objection, restriction).
- CCPA / CPRA (California) — we do not sell or share personal information for cross-context behavioural advertising. Californians can exercise their rights via the Do Not Sell or Share link in our footer.
- DPDPA 2023 (India) — we honour Indian data principal rights. Our designated Grievance Officer is listed below.
- Shopify Protected Customer Data — we meet Level 2 requirements: annual policy review, 30-day deletion SLA on
shop/redact, per-tenant encrypted tokens, minimum necessary access.
Infrastructure inherited controls
Our compute and data sit on top of vendors with their own independent audits. We inherit their controls; we do not claim certifications we haven't earned.
- Vercel (application hosting) — SOC 2 Type II, ISO 27001 certified
- Supabase (per-tenant databases) — SOC 2 Type II, GDPR DPA
- Stripe (billing) — PCI DSS Level 1
- Resend (transactional email) — SOC 2 Type II, GDPR DPA
- Cloudflare (DNS, TLS) — SOC 2 Type II, ISO 27001
- Inngest (background jobs) — SOC 2 Type II
Our own security practices
- Per-tenant isolation — each merchant gets their own dedicated Supabase project. No shared-schema multi-tenancy for customer data.
- Encryption in transit — TLS 1.3 everywhere. HSTS enforced. HTTP->HTTPS redirect.
- Encryption at rest — AES-256 (inherited from Supabase and Vercel Blob).
- Token storage — third-party OAuth tokens (Meta, Shopify) are AES-256-GCM encrypted with a per-tenant master key before persisting.
- PII hashing — shopper email addresses and phone numbers are SHA-256 hashed before leaving the tenant database. We never transmit raw PII to Meta.
- Password hashing — PBKDF2-SHA512 with 210,000 iterations (OWASP 2023+ recommendation).
- Session tokens — HS256-signed JWTs with 7-day TTL, HttpOnly + Secure + SameSite=Lax cookies.
- Webhook verification — HMAC-SHA256 signature check on every inbound webhook from Shopify, Stripe, and Meta. Replay protection via delivery-id dedup.
- Rate limiting — on login, OTP, and sensitive admin endpoints (Upstash Redis backed).
- Audit logging — every sensitive admin action (impersonation, cancellation, deletion, legal hold) is logged to an append-only audit table.
Data retention schedule
| Data category | Retention |
|---|
| Merchant account + dashboard data | Active life of subscription + 30 days after cancellation |
| Shopify order / customer / product mirrors | Same — deleted with tenant DB on day 30 |
| Tracker behavioural events | Same — deleted with tenant DB on day 30 |
| Meta OAuth tokens + connection metadata | Revoked and cleared at cancellation; rows deleted on day 30 |
| Shopify OAuth tokens | Same |
| Transactional emails (Resend logs) | 30 days at Resend |
| Database backups (point-in-time recovery) | 30 days (so worst-case total lifetime is 60 days) |
| Audit logs (admin actions) | 12 months, rolling |
| Deletion certificates (hash only, no PII) | 7 years — legal evidence of deletion |
30-day deletion lifecycle
- Day 0 — customer cancels (via Shopify uninstall, Stripe, or dashboard). We send an email confirming the cancellation and the deletion schedule, with a one-click reactivation link.
- Days 1–14 — dashboard remains fully read-write. Reactivation remains one-click.
- Day 15 — dashboard switches to read-only mode.
- Days 16–29 — reminder emails on day 23 and day 29.
- Day 30 — hard delete runs: Supabase project destroyed, Vercel deployment destroyed, DNS record removed, encrypted tokens wiped, audit rows anonymised. A SHA-256 deletion certificate is generated and emailed to the customer as final confirmation.
Sub-processors
We keep a current list of every service that touches merchant data at /subprocessors.html. Material additions are notified to active merchants 30 days in advance by email.
Breach notification
If we discover a confirmed data breach affecting merchant data, we will:
- Notify affected merchants via email within 72 hours of confirmation (GDPR Art. 33 timeline)
- Include nature, scope, categories, approximate record count, likely consequences, and remediation steps
- Assist merchants with their own notification duties to supervisory authorities and data subjects
- Preserve forensic evidence for regulator / auditor review
Grievance Officer (DPDPA)
Designated Grievance Officer
Karthik Venkatesh, Founder & Data Protection Lead
KAK Digital LLC
Email: grievance@kakedge.com (monitored daily)
Alternate: hello@kakedge.com
Response SLA: 30 days per DPDPA §13.
International data transfers
We operate from the United States. Merchant data may be processed in the US and in EU/Asia regions depending on which Supabase region the merchant is provisioned into. For EU-based merchants we offer a Frankfurt (EU) region on request at signup. We rely on Standard Contractual Clauses (2021/914) with our sub-processors for cross-border transfers.
Reporting a security issue
Found a vulnerability? Please email security@kakedge.com. We investigate every report. We do not currently operate a bounty program but we credit reporters who request it.
What we don't claim
We want to be honest about the line between "we do this" and "we have a certificate proving it". Today we do not hold SOC 2, ISO 27001, or HIPAA certifications. We inherit our sub-processors' certifications (listed above) but we won't put their logos on our site as if they were ours. We plan to pursue SOC 2 Type I in the next 6 months and will update this page when complete.
Questions
Email hello@kakedge.com. A real person reads every one.