Our approach
AuraStores holds the operational heart of your business — your stock, your sales, your margins, your team. We treat that with the seriousness it deserves: security isn’t a feature we added, it’s a constraint we build under. This page describes the concrete measures in place today.
It pairs with our Privacy policy, which covers what data we collect and why.
Encryption in transit and at rest
All traffic between your devices and AuraStores is encrypted with TLS — there is no unencrypted path into the platform. At rest, your data lives on managed cloud infrastructure that encrypts storage with industry-standard algorithms such as AES-256.
This applies across the platform: the web app, the mobile apps, our APIs, and the services that sync your branches.
Account security and authentication
- Passwords are never stored in plain text. Our authentication provider stores only salted password hashes; nobody at AuraStores can read your password.
- Email verification confirms ownership of your address before an account is fully active, and password-reset and confirmation links use modern, single-use secure flows.
- Sessions are managed centrally, so signing out and password changes take effect across your devices.
Role-based access control
Inside a store, access follows roles. Owners and the admins they appoint decide who can ring up sales, adjust stock, see reports, or manage staff — and which branches each person can touch. Permission checks are enforced on our servers, not just hidden in the interface.
When you change someone’s role or remove them, the change applies immediately across the web and mobile apps.
Data isolation between businesses
AuraStores serves many businesses from shared infrastructure, so isolation is enforced at the data layer: every product, sale, expense, and staff record is bound to your organization, and every query is scoped to it. There is no code path by which one store’s data can be returned to another store’s account.
Payment security
Subscription payments are processed by our payment provider, Lipila. Card numbers and mobile-money PINs never touch AuraStores servers — we hold only transaction references, amounts, and status so your billing history stays accurate.
We will never call, text, or email you asking for your password or a mobile-money PIN. If someone claiming to be AuraStores does, it’s a scam — report it to cloverfields.tech@gmail.com.
Infrastructure and backups
AuraStores runs on established managed cloud providers — the same class of infrastructure used by banks and large-scale software companies — rather than self-managed servers. That gives every layer of the platform hardened physical security, network protection, and patching by default.
Your data is backed up automatically on a rolling schedule, so a hardware failure doesn’t become your problem. Offline work queued on your devices (like sales rung up without signal) syncs into the same protected environment when you reconnect.
How we operate
- Least privilege: internal access to production systems is limited to the people who need it to run the service.
- Change control: code changes are reviewed and tested before they ship.
- Secrets hygiene: credentials and keys are stored in managed secret stores, never in code.
- Monitoring: we watch for errors and unusual behaviour so problems are caught early.
Your part
Security is shared. The measures above protect the platform; these habits protect your account:
- Use a strong, unique password for AuraStores — don’t reuse one from another service.
- Give staff the lowest role that lets them do their job, and remove people the day they leave.
- Keep your phone locked and the app updated.
- Never share your password or approve a payment prompt you didn’t initiate.
Responsible disclosure
Found a vulnerability? We want to hear about it. Email cloverfields.tech@gmail.com with enough detail to reproduce the issue, and give us a reasonable window to fix it before any public disclosure.
We won’t pursue action against good-faith research that respects our users’ data — don’t access data that isn’t yours, degrade the service, or use social engineering against our team or customers.