Security & Compliance
How we protect your data and your unreleased imagery.
ShotSync turns raw fashion shoots into channel-ready product listings. Here are the security controls we operate today and the compliance work on our roadmap.
Your imagery stays on your device
Pre-launch shoots are clustered, renamed and formatted in your browser — not uploaded to our servers as part of the workflow.
Every brand is isolated
Database-level Row-Level Security enforces strict tenant separation — one organisation can never read another’s data.
Built on audited infrastructure
Every layer runs on SOC 2 Type II–certified providers — Supabase, Vercel and Stripe — so we inherit their controls.
We never touch card data
Payments run entirely through Stripe (PCI-DSS Level 1). ShotSync never sees, transmits or stores card details.
Security controls
How we handle your data
Sub-processors
| Provider | Purpose | Data handled | Compliance |
|---|---|---|---|
| Supabase | Database, authentication & file storage | Account & product data | SOC 2 Type II |
| Vercel | Application hosting, CDN & edge | Requests & operational logs | SOC 2 Type II |
| Stripe | Payment processing | Billing details (no card data stored by ShotSync) | PCI-DSS L1 · SOC 2 |
| OpenAI | AI product copy generation | Product attributes & prompts | SOC 2 Type II |
| Sentry | Error monitoring | Diagnostic data (PII-scrubbed) | SOC 2 Type II |
Our current sub-processor list. A signed Data Processing Agreement (DPA) is available on request — email hello@shotsync.ai.