Skip to main content
ScanSewaby Lacspace
Trust & Security

Security built into every layer.

ScanSewa handles your orders, payments and customer data — so we treat protecting it as a first-class feature, not an afterthought. Here’s exactly how we keep your business safe.

Talk to us Read the Privacy Policy
How we protect your data

Six layers of protection

From the network to the database, each layer is designed to fail safe and keep your tenant's data yours alone.

Encrypted in transit

All traffic is served over HTTPS/TLS with HSTS (2-year, preload) enforced across every domain. No data moves over plain HTTP.

Authenticated & scoped access

Every API request is verified with a signed JWT. Sessions live in httpOnly, SameSite cookies the browser cannot read, and Developer API keys are read-only and scoped to exactly what each integration needs.

Strict tenant isolation

Your data is pinned to your business by the verified token on every request — one account can never read or modify another tenant’s orders, customers or finances.

Hardened application

User-supplied content is sanitized before rendering, security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) are set platform-wide, and the image/asset surface is locked to trusted hosts.

Reliable infrastructure

Runs on AWS with managed MongoDB and S3 object storage. Rate limiting protects every endpoint, and CORS is restricted to ScanSewa-owned origins.

Privacy by design

We collect only what the product needs to run your business, never sell your data, and give you control over it. See our Privacy Policy and Data Processing Addendum.

Under the hood

Security practices we follow

  • JWT signature verification on every protected endpoint
  • httpOnly + Secure + SameSite=Lax session cookies
  • Per-tenant authorization enforced server-side (no client-trusted scoping)
  • Read-only, least-privilege Developer API keys
  • Per-key and per-vendor rate limiting (with RateLimit-* headers)
  • HTML sanitization of all user-generated content (anti-XSS)
  • Strict CORS allowlist + platform-wide security headers
  • Passwords hashed with bcrypt; secrets kept server-side only
  • Signed webhooks (HMAC) for outbound and inbound integrations
  • Encrypted transport (TLS) end-to-end with HSTS preload

Responsible disclosure

Found a vulnerability? We want to hear from you. Email a detailed report and we'll acknowledge it quickly, keep you updated, and credit you once it's resolved. Please give us a reasonable window to fix issues before any public disclosure.

security@scansewa.com

Compliance & data handling

Our practices are built around widely-recognised privacy principles (including GDPR-style data-subject rights). We're actively maturing toward formal certifications as we grow. Our data-handling commitments are documented in our legal policies.

Privacy Policy Data Processing Addendum
Built on trust

Your data, protected end-to-end

See how ScanSewa keeps multi-location businesses secure while moving fast — book a walkthrough with our team.

Request a demoContact us