Our Commitment
Security is built into our platform architecture from the ground up. We follow industry best practices for data protection, access control, and incident response.
Data Encryption
- In transit: All data between your browser and ShipWink is encrypted via TLS 1.2+ (HTTPS) on all endpoints.
- At rest: Sensitive data is encrypted at rest using AES-256.
- API keys: All carrier and payment credentials are stored encrypted and never exposed to frontend clients.
Payment Security
ShipWink does not store your credit card or bank details. All payment processing is handled by Stripe, a PCI DSS Level 1 certified provider — the highest certification available.
Wallet top-up transactions are processed entirely within Stripe's secure environment. ShipWink never touches raw card data.
Authentication
- Password hashing using industry-standard bcrypt
- Email verification required for new accounts
- Session tokens with automatic expiry
- Two-factor authentication (2FA) — coming in upcoming release
Infrastructure
- Servers hosted on hardened cloud infrastructure
- Automated daily backups
- Production system access restricted by role
- Dependencies monitored for known vulnerabilities
Carrier API Security
All communication with carrier APIs (EasyPost, USPS, UPS, FedEx, DHL) is made server-side using encrypted API keys. These keys are never exposed in client-side code or browser network requests.
Responsible Disclosure
If you discover a security vulnerability, please report it to hello@shipwink.com with the subject: "Security Disclosure".
We ask for reasonable time to investigate before public disclosure. We do not pursue legal action against good-faith security researchers.
Data Breach Response
In the event of a data breach, ShipWink will:
- Notify affected users within 72 hours of becoming aware (per GDPR Article 33)
- Send details to the email on your account: nature of breach, data affected, and remediation steps
- Notify relevant data protection authorities as required by law