SilverEarth CommerceSilverEarth Commerce
SilverEarth Commerce
Sign inGet Started →

Security Architecture

Your admin holds everything.
We protect it accordingly.

Catalog data, customer records, financial history, and team access — all live in one admin. SilverEarth Commerce treats security as a first-class feature, not an afterthought. Here's exactly how the platform is hardened.

FIDO2 / WebAuthnTOTP MFANIST SP 800-63BPCI DSS SAQ ABCrypt + HMAC-SHA384Azure-hosted

Authentication

Three ways to authenticate. Every one phishing-resistant or breach-aware.

The platform supports three credential types simultaneously. Users choose their preferred method; admins can enforce a minimum requirement across the whole tenant.

Password

NIST SP 800-63B aligned

  • 12-character minimum length — no arbitrary complexity rules
  • Have I Been Pwned breach check on every new password — rejected if found in any known data breach
  • BCrypt cost factor 12 with HMAC-SHA384 pre-hash — resistant to BCrypt 72-byte truncation attacks
  • No periodic forced rotation — NIST-aligned (rotation encourages weaker passwords)
  • Secure reset flow: time-limited, single-use tokens delivered by email
  • Account lockout after repeated failed attempts with exponential backoff

TOTP Multi-Factor

Works with any authenticator app

  • RFC 6238-compliant TOTP — works with Google Authenticator, Authy, 1Password, Microsoft Authenticator, and any other TOTP app
  • QR-code enrolment flow with manual key entry fallback
  • Single-use backup recovery codes generated at enrolment — each code can only be used once
  • Admin-configurable MFA policy: Optional, Recommended (with persistent reminder), or Required (enforced on every login)
  • Administrators can view MFA status and force-reset an individual user's TOTP device

Passkeys (FIDO2)

WebAuthn Level 2

  • W3C WebAuthn Level 2 — hardware security keys (YubiKey, etc.), Touch ID, Face ID, Windows Hello, and Android biometrics
  • Phishing-resistant by design — origin binding means a credential registered for your domain cannot be used on any other domain
  • Multiple passkeys per account — register your laptop, phone, and a hardware key as fallback
  • Device-bound and sync passkeys supported — works with iCloud Keychain, Google Password Manager, and 1Password
  • Passkeys satisfy both authentication and second-factor in a single gesture — no TOTP code required

Session Management

Short-lived sessions

8-hour maximum session lifetime. Sessions are invalidated server-side — changing your password or enabling a higher MFA level immediately invalidates all other active sessions.

HttpOnly, Secure cookies

Session tokens are stored in HttpOnly, Secure, SameSite=Strict cookies. Not accessible to JavaScript — immune to XSS-based session theft.

Force logout

Admins can force-logout any user in the tenant immediately from the User Management panel. The user is signed out on their next request.

Concurrent session awareness

The admin panel shows each user's active sessions with device, browser, IP, and last-active time. Revoke any individual session without affecting others.

Access Control

Role-based access — four levels, no ambiguity.

Every action in the admin is gated by role. Staff get exactly the access they need — nothing more. Roles are tenant-scoped; a user with Admin access on one tenant has no access to any other.

SuperAdmin

Full platform access including billing management, tenant configuration, all user administration, and audit log access. Intended for the account owner only.

Admin

Full content and commerce access. Can manage users, view the security audit log, and configure MFA policy. Cannot change billing or delete the account.

Editor

Can create, edit, and publish content across all pillars. Cannot manage users, view financial summaries, or access security-sensitive areas.

Viewer

Read-only access to the admin. Useful for stakeholders, investors, or third-party reviewers who need visibility without the ability to make changes.

Tamper-Evident Security Audit Log

Every security-relevant action is recorded with actor identity, IP address, user agent, and timestamp. Log entries are append-only — they cannot be edited or deleted from the admin UI. Visible to Admin and SuperAdmin roles only.

Login succeededActor, credential type used (password / TOTP / passkey), IP, device
Login failedFailed credential type, IP, lockout triggered Y/N
MFA enrolled / removedDevice description, actor, IP
Passkey registered / revokedPasskey ID, device label, actor, IP
Password changed / resetReset token ID if applicable, actor, IP
Role changedPrevious role, new role, changed by, timestamp
User invited / deactivatedTarget user, actor, IP, timestamp
Force logout issuedTarget user, sessions revoked count, actor
Billing eventPlan change, payment succeeded/failed — actor and IP
API key issued / revokedKey prefix (never full key), actor, IP

Infrastructure & Data Protection

Azure-hosted. Always encrypted. Always available.

The platform is architected on Microsoft Azure services with defence-in-depth — multiple independent security controls, not a single perimeter.

Azure-Hosted Infrastructure

All compute, database, storage, and CDN runs on Microsoft Azure. Azure's physical and network security, including ISO 27001, SOC 2 Type II, and PCI DSS compliance, is inherited by the platform.

Encryption at Rest

Azure SQL uses Transparent Data Encryption (TDE) with AES-256 for all database files, backups, and transaction logs. Azure Blob Storage uses 256-bit AES encryption with Microsoft-managed keys for all media assets.

TLS 1.2+ in Transit

All communication between clients and servers is enforced over TLS 1.2 or 1.3. HTTP-only requests are permanently redirected. HSTS headers prevent downgrade attacks.

Azure Blob Storage for Media

All uploaded images and files are stored in Azure Blob Storage. Files are served through Azure CDN with strict content-type headers and CORS policies — preventing inline script execution from uploaded content.

Automated Backups

Azure SQL performs automated full, differential, and transaction log backups with point-in-time recovery up to 35 days. Geo-redundant storage ensures backups survive a regional outage.

Vulnerability Management

Dependencies are tracked with automated security advisories. Critical CVEs in the dependency graph are patched on a published SLA. Penetration testing is conducted before major releases.

Application-Level Security Controls

Security is built into the application code — not bolted on at the perimeter.

  • All user input is validated server-side using Zod schemas — malformed requests are rejected before they reach business logic
  • Parameterised SQL queries throughout — no string concatenation, no SQL injection surface
  • CSRF protection on all state-changing requests via SameSite=Strict session cookies
  • Content Security Policy (CSP) headers restrict script sources to first-party and enumerated CDN origins
  • Rate limiting on all authentication endpoints — brute-force and credential-stuffing resistant
  • Stripe webhook signatures verified using HMAC-SHA256 — unsigned webhook calls are rejected
  • API keys hashed before storage — the plain-text key is shown only once at creation
  • All file uploads validated for MIME type and magic bytes before storage — server-side only
  • Admin session tokens are rotated on privilege escalation (e.g. after TOTP confirmation)
  • Outbound email uses SPF, DKIM, and DMARC-aligned sending — prevents email spoofing from your domain

    • Payments & PCI

    PCI DSS SAQ A — no card data ever touches our servers.

    SilverEarth Commerce uses Stripe Elements for all card collection. Card numbers, CVVs, and expiry dates are entered directly into Stripe-hosted iframes — they are never sent to, processed by, or stored on any SilverEarth server. This architecture qualifies the platform for PCI DSS Self-Assessment Questionnaire A (SAQ A), the lowest-scope PCI compliance category.

    • Stripe Elements renders inside a Stripe-owned iframe — card data never enters the DOM of your site
    • Only a Stripe PaymentMethod or SetupIntent ID is returned to our server — never raw card data
    • Stripe is a PCI DSS Level 1 Service Provider — the highest certification level
    • Stripe Connect Standard — payments go direct to your Stripe account; SilverEarth never holds customer funds
    • 3D Secure 2 / Strong Customer Authentication (SCA) supported natively via Stripe's Payment Intents API
    • Radar fraud detection (Stripe's ML-based fraud rules) active on all transactions

    Privacy Act & GDPR Tooling

    The platform provides built-in tools for compliance with the NZ Privacy Act 2020, Australia's Privacy Act 1988, GDPR, and the UK GDPR — wherever your customers are.

    • Customer data export (Subject Access Request) — generates a ZIP of all stored data for a given email address
    • Customer erasure — removes all personally identifiable information while preserving anonymised order records required for tax compliance
    • Marketing consent tracked separately from transactional communications — unsubscribe honoured immediately
    • Data retention policy configuration — auto-purge inactive customer records after a configurable period

    Responsible Disclosure

    We welcome responsible security research. If you discover a vulnerability in SilverEarth Commerce, please contact us at security@silverearth.co.nz. We aim to acknowledge reports within 24 hours and resolve confirmed vulnerabilities within a published SLA based on severity. We do not pursue legal action against good-faith researchers who follow our disclosure policy.

    Built to be trusted.

    Questions about our security posture?

    We're happy to provide a detailed security overview, discuss deployment options, or arrange a technical security review for enterprise enquiries.

    Apply for Access About SilverEarth