Skip to main content
Security in a commerce platform is a shared responsibility. Galactic Core secures the infrastructure, the data boundaries, and the money path; your integration secures its keys and its own request handling. This page states what the platform guarantees and where your responsibilities begin, so there is no ambiguity about who owns what. The theme throughout is that the important boundaries are enforced below the application, in the infrastructure — so a bug in application code cannot cross them.

Tenant isolation

Every merchant’s data is isolated at two levels, and neither depends on application code remembering to filter. Within a deployment, row-level security in the database scopes every read and write to a single store; across deployments, each tenant runs on its own dedicated database and API layer. A query cannot reach another store’s data, and one deployment’s incident cannot affect another’s. This is covered in depth in Data Model & Multi-tenancy — the short version is that isolation is a property of the infrastructure, not a filter an engineer has to remember. Automations extend this guarantee. When a merchant’s own automation — a custom extension, or an AI-generated one such as an ad-optimization rule — needs to read the store’s data, it does not get direct database access. It reads a governed set of business concepts (revenue and margin by product, stock at risk, campaign performance, active promotions, and the like) exposed as a fixed, read-only interface. Every concept is scoped to the automation’s own store, returns computed business facts rather than raw records, and can never reach another tenant’s data or a table the automation wasn’t meant to see. This lets a merchant’s logic act on rich, meaningful signals while the underlying data stays walled off — the same isolation that protects the storefront protects what an automation can read.

Authentication and access

Access to the API is by key, and the key type determines what it can do.

Publishable keys

For the storefront — safe to ship in a browser or mobile bundle. A publishable key reads catalog and other non-sensitive data, and can make the writes a shopper performs on their own behalf: adding to a cart or wishlist, submitting a review, sending a message, lodging a return, updating their own profile. It cannot place or modify orders, take payments, sign customers in, or touch store-wide or other customers’ data.

Secret keys

Full read/write access, for server-side use only. Orders, payments, customer sign-in, and any store-management write require a secret key — which must never reach the browser.
Writes a publishable key makes that act on a specific shopper’s data — their wishlist, reviews, returns, messages, and profile — additionally require that shopper’s own session token, so one shopper’s key can never act for another. Cart updates, stock reservations, newsletter sign-up, and anonymous analytics events are accepted without a session, because that is how a storefront works before a shopper logs in. Keys are stored only as a one-way hash — the platform keeps a fingerprint of each key, never the key itself, so a key is shown to you exactly once, at creation, and cannot be recovered afterward. Each request is authenticated and resolves to exactly one store before any data is touched. Keys also carry scopes: an integration authorized through Login with GC receives only the specific permissions the merchant approved, and a request outside those permissions is refused. Full details of the key model, environments, and request signing are in Authentication.

Data in transit and at rest

All API traffic is served over HTTPS/TLS; there is no plaintext endpoint. Sensitive values a merchant stores with the platform — payment-processor credentials, integration tokens — are encrypted at rest in a managed secrets vault, not in an ordinary table column, and the plaintext is never returned to the browser after it is entered. What the merchant sees afterward is a masked reference; the secret itself is used only server-side, to talk to the provider it belongs to.

Payment integrity

The payment path is designed so that the platform never holds funds and never sees raw card details.
1

Card details go straight to the processor

Card entry happens on the payment processor’s hosted checkout, not on a Galactic Core page. Card numbers never reach the platform’s servers or database — the platform stores only a payment reference, never a card number.
2

The processor holds the money

For marketplace payments, funds are captured by the processor and paid out to each merchant’s own connected account. The platform never custodies money; it only directs the split. This is what keeps marketplace operators outside money-transmitter territory.
3

Amounts are recomputed server-side

Prices, tax, shipping, discounts, and the order total are re-derived from the authoritative catalog when an order is placed. A client that submits a tampered price or total is rejected — the amount the customer is charged is the platform’s figure, never the client’s.
4

Payment confirmations are verified at the source

When a payment is confirmed, the platform re-checks the transaction directly with the processor and reads the amount and status from the processor’s own response. Provider webhooks are cryptographically signature-verified, and a notification that fails verification — or arrives without a signature — is rejected before it can affect an order.
The most sensitive server-to-server writes — placing or updating an order, initializing a payment, and pushing a catalog into the platform — additionally require a request signature, so a request that isn’t signed with the store’s secret is rejected even if it carries a valid key. Order placement also requires an idempotency key, so a retried request can never become a duplicate order. See Authentication for how to sign requests and Custom Integrations for handling payment webhooks in your own code.

Environment separation

Test and live data never mix. The key prefix chooses the environment — tybrite_sk_test_ / tybrite_pk_test_ operate on isolated sandbox data, …_live_ on production — and the two are stored under a separate environment marker so a test order can never appear in live reporting. Sandbox data is purged on a schedule, so test runs don’t accumulate. Because the environment is fixed by the key, there is no way for a live key to read sandbox data or the reverse.

Data protection and privacy

Galactic Core is built for GDPR and CCPA from the ground up. The data in a store belongs to the merchant, and the tools to exercise data-subject rights over it are self-service — the merchant runs them directly, from their own dashboard, without going through us. Your store’s data is never shared with anyone else; we would only step in to help produce an export if a merchant were unable to run one themselves.

Access and portability

A merchant can export a complete copy of their own store’s data — customers, orders, catalog, accounting, and the rest — as a portable archive of spreadsheets, from Settings → Data Export, with sensitive credentials excluded. They can also produce the data held about an individual customer to satisfy a request that customer makes to them.

Erasure

A merchant can delete an individual customer’s personal data, and can request deletion of their entire store. Erasure removes the personal data across the stores where it lives.
Beyond those operations, the platform minimizes and ages out the personal data it holds: personal details in payment transaction logs are automatically redacted after 90 days (the financial audit trail — reference, amount, status — is kept) and the records deleted entirely after a year, abandoned and test data are purged on a schedule, and each merchant’s data stays walled off in its own tenant. The database is backed up continuously with point-in-time recovery — see Scaling & Reliability.

Shared responsibility

The platform secures the infrastructure and the boundaries; you secure how your integration uses it. The split:
Found a security issue? We appreciate responsible disclosure — email [email protected] and we will work with you on it. Please give us a chance to address it before any public disclosure.

Authentication

Key types, scopes, environments, and request signing in detail.

Data Model & Multi-tenancy

How row-level security and per-deployment isolation keep tenants separate.