Security Practices

• HTTPS/TLS for traffic between users, Automenax, and providers.
• Encryption at rest for databases, backups, and object storage where supported.
• OAuth tokens and application secrets stored encrypted and separated from source code.

• Least-privilege access for production systems.
• Administrative access limited to authorized personnel.
• Role-based workspace permissions when multiple users are enabled.
• Access reviewed when personnel or contractors change roles.

• OAuth 2.0 Authorization Code flow with PKCE and CSRF state.
• Exact redirect URI matching for production OAuth configuration.
• Rate-limit handling, caching, retry-after support, and exponential backoff.
• No scraping, credential sharing, password collection, or Etsy checkout bypassing.

Automenax requests and stores only the data needed for connected-shop operation: draft listings, product templates, order context, delivery address fields, delivery profiles, shipment tracking, billing, support, and security logs.

We investigate suspected unauthorized access, token exposure, data loss, or service compromise promptly. When legally required, affected users, regulators, providers, or Etsy will be notified.

Security reports can be sent to security@automenax.com. Please do not access, modify, delete, or exfiltrate user data while testing.