Gantry Cloud Security

Gantry protects fulfillment, customer, inventory, and workspace data with layered controls across authentication, workspace isolation, integrations, and auditability.

1) Tenant isolation

Every workspace is separated from every other workspace. Orders, inventory, tracking, messages, reports, settings, imports, exports, and audit records are scoped to the signed-in workspace.

• Users can only access records for their own workspace through normal app routes.
• Exports are workspace-scoped.
• Order detail, reporting, Cargo Hold, and settings routes enforce server-side workspace checks.
• Postgres Row Level Security enforces workspace boundaries for tenant-owned tables in addition to application checks.
• Platform admin access uses explicit protected admin paths and a separate database path for operational support.

2) Account security

• Passwords are stored as hashes, never as plain text.
• New workspace owners must verify their email before entering the app.
• Invited users join through expiring, email-bound invite links.
• Password reset links are expiring, single-purpose, and stored only as hashes.
• Privileged users can use MFA, and sensitive actions can require a fresh MFA check.
• Team members can be removed by owners when access should end.

3) Sessions and browser request safety

• Session cookies are configured as Secure, HttpOnly, and SameSite=Lax.
• Browser-initiated state-changing actions require CSRF tokens.
• Same-origin checks add a second layer for state-changing browser requests.
• Webhook endpoints are excluded from browser CSRF because they use provider verification instead.
• GET routes are not used for destructive account, team, settings, or fulfillment actions.

4) Integration credentials

Provider secrets such as API keys and webhook secrets are encrypted at rest before database storage. Gantry only decrypts them when needed for verified operations.

• Stripe, Shippo, Resend, Shopify, and WooCommerce credentials are stored encrypted where applicable.
• Platform email credentials are stored as protected platform settings.
• Customer billing payment data is handled by Stripe, not stored in Gantry.

5) Webhook and ingestion safety

Inbound provider events are verified before they enter the fulfillment pipeline.

• Stripe webhooks use Stripe signature validation.
• Shippo tracking webhooks use secure workspace routing.
• Shopify and WooCommerce webhooks use provider-specific channel secrets.
• Events are processed through a retry-capable ingestion queue.

6) Cargo Hold and fulfillment controls

• QR pick validation is enforced server-side when enabled.
• Frontend scans are helpful, but server validation decides whether label generation unlocks.
• Inventory reservation and deduction logic prevents duplicate deductions.
• Audit logs record important inventory and pick-session actions.

7) Audit logs and operational visibility

Gantry records important security and operational events, including authentication outcomes, team invitations, permission changes, password reset requests, email verification, settings changes, pick sessions, package splits, and inventory adjustments. Audit logs are immutable so operational history cannot be silently edited by normal app flows.

8) Data sharing commitment

Gantry does not sell customer data. Data is used to provide fulfillment, shipping, inventory, reporting, account security, and support workflows.

9) Planned hardening

• More granular roles for admin, fulfillment, Cargo Hold, and reporting access.
• Automated security test coverage in the release process.
• Expanded restore testing and backup runbooks before broader paid launch traffic.
• Dedicated admin control plane separation as the platform grows.

10) Report a concern

Security concerns should be reported to support or your account owner with endpoint, timestamp, workspace, and reproduction details where available.