Security & Privacy

1. SSL/TLS Encryption

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. Look for the padlock icon in your browser's address bar to confirm a secure connection. This encrypts:

  • Personal information (name, email, address)
  • Payment card details
  • Login credentials
  • All form submissions

2. Payment Security

We use Razorpay for payment processing, a PCI-DSS Level 1 certified payment gateway. This means:

  • Your credit card information is never stored on our servers
  • All transactions are encrypted and tokenized
  • We comply with Payment Card Industry (PCI) standards
  • Fraud detection and prevention measures are in place

You are never charged for failed transactions, and you receive a receipt for every successful purchase.

3. Data Protection

Your personal information is protected using:

  • MongoDB encryption: Data at rest is encrypted
  • Secure passwords: Passwords are hashed with bcrypt, not stored in plain text
  • Limited access: Only authorized staff can access customer data
  • Regular backups: We maintain encrypted backups in case of data loss
  • No third-party sharing: We do not sell or share your data with marketers

4. Security Headers

Our website implements the following security headers to prevent common attacks:

  • X-Content-Type-Options: Prevents MIME-type sniffing attacks
  • X-Frame-Options: Protects against clickjacking
  • X-XSS-Protection: Enables browser XSS protection filters
  • Strict-Transport-Security: Forces HTTPS for all connections
  • Referrer-Policy: Controls what information is shared when leaving our site

5. Authentication & Sessions

We secure your account using:

  • NextAuth.js: Industry-standard authentication library
  • JWT tokens: Secure, signed tokens for session management
  • HttpOnly cookies: Session cookies cannot be accessed by JavaScript
  • CSRF protection: Forms are protected against cross-site request forgery
  • Password reset: Secure, time-limited tokens for password recovery

6. Vulnerability Management

We maintain a secure application by:

  • Regularly updating dependencies and libraries
  • Running security audits and vulnerability scans
  • Using TypeScript for type safety and fewer runtime errors
  • Following OWASP secure coding practices
  • Implementing input validation and sanitization

7. API Security

Our APIs are secured with:

  • Admin authentication: Sensitive endpoints require admin authentication
  • Rate limiting: Protection against brute-force attacks
  • Input validation: All inputs are validated and sanitized
  • HTTPS only: All API traffic is encrypted
  • CORS protection: Cross-origin requests are carefully controlled

8. Third-Party Services

We use trusted third-party services that meet security standards:

  • Razorpay: PCI-DSS Level 1 certified payment processor
  • MongoDB Atlas: Enterprise-grade database with encryption
  • Vercel: Secure hosting with DDoS protection
  • Courier partners: Trusted logistics providers with tracking

9. Reporting Security Issues

If you discover a security vulnerability, please report it responsibly to:

security@cassis-noir.com

Do not disclose the vulnerability publicly. We will investigate and fix the issue as soon as possible, and may recognize your contribution depending on the severity.

10. Your Responsibility

To keep your account secure, please:

  • Use a strong, unique password
  • Never share your login credentials
  • Log out from shared devices
  • Keep your browser and devices updated
  • Report any suspicious account activity immediately