Skip to main content

Security

Last updated: May 24, 2026

Crossell.io is a multichannel ecommerce management and marketplace integration platform. We protect seller-authorized data with startup-appropriate operational security — not theater compliance. This page summarizes our public security posture and how to report issues.

1. Our Security Approach

  • Seller-authorized access only — integrations use OAuth or API keys you connect; we do not scrape marketplaces without authorization
  • Encryption in transit — HTTPS/TLS for all web and API traffic
  • Encryption at rest — marketplace credentials encrypted with AES-256-GCM before storage
  • Least privilege — production access restricted to authorized operators with MFA
  • No resale of data — we do not sell personal or seller marketplace data

2. Infrastructure

Crossell is hosted on industry-standard cloud infrastructure with:

  • HTTPS-only public endpoints
  • Cloudflare for DDoS mitigation and edge protection (where enabled)
  • Secrets stored in environment configuration, not in source code
  • Database backups for recovery
  • Separate staging and production environments where applicable

3. Access & Authentication

  • MFA required for production and infrastructure admin access
  • Unique credentials per team member; shared admin passwords are prohibited
  • Marketplace connections use OAuth where supported by the platform
  • Unused access is revoked during periodic access reviews

4. Incident Notification

If we confirm a security incident that materially affects seller data, we will notify affected account holders by email and post an update on this page when appropriate. We rotate credentials, contain the incident, and document response steps internally.

5. Responsible Disclosure

If you believe you have found a security vulnerability, please contact security. Include steps to reproduce, impact assessment, and your contact information. We ask that you:

  • Do not access data belonging to other users
  • Do not perform denial-of-service or destructive testing
  • Allow reasonable time for us to investigate and remediate before public disclosure

We acknowledge good-faith reports and will not pursue legal action against researchers who follow these guidelines.

6. What We Are Not (Yet)

Crossell is an early-stage product. We do not currently hold ISO 27001 or SOC 2 certification. We maintain lightweight internal security policies appropriate to our stage and review them as we scale. We do not claim enterprise-grade network segregation, IDS/HIPS, or formal data classification programs unless and until they are implemented.

7. Contact

Security reports: contact security. Privacy: contact privacy.