Security

Our Commitment to Security

ShipWink takes the security of your data and transactions seriously. This page outlines the measures we use to protect your account, your shipment data, and your wallet balance.

Data Encryption

• In transit: All data transmitted between your browser and ShipWink servers is encrypted using TLS 1.2+ (HTTPS). We enforce HSTS to prevent downgrade attacks.
• At rest: Sensitive data including API tokens and payment credentials are encrypted at rest using industry-standard encryption.

Payment Security

ShipWink does not store your credit card or bank details. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Your card data never touches ShipWink servers.

• Stripe handles all card tokenization
• Wallet top-ups are processed in real-time with Stripe's fraud detection
• 3D Secure (3DS) authentication is supported

Authentication

• Passwords are hashed using bcrypt with a strong salt factor — they are never stored in plain text
• Session tokens are short-lived JWT tokens invalidated on logout
• Password reset links are single-use and expire within 1 hour

Infrastructure

• ShipWink is hosted on hardened Linux servers with restricted SSH access
• Firewalls restrict inbound traffic to HTTPS (443) and authorized admin IPs only
• Server software is kept up to date with security patches
• Regular backups are performed and stored securely

Carrier API Security

ShipWink integrates with EasyPost for carrier rate fetching and label generation. All EasyPost API requests are made server-side using encrypted API keys. Your shipment data is transmitted directly to EasyPost over TLS and governed by EasyPost's Privacy Policy.

Responsible Disclosure

If you discover a security vulnerability in ShipWink, please report it to us at support@shipwink.com before disclosing it publicly. We commit to responding within 48 hours and resolving critical issues as quickly as possible. We appreciate responsible disclosure and will acknowledge your contribution.

Data Breach Response

In the event of a confirmed data breach affecting user data, ShipWink will:

• Notify affected users within 72 hours of discovery (in compliance with GDPR Article 33)
• Notify relevant supervisory authorities as required by law
• Provide guidance on protective steps users should take

Questions

For security-related inquiries, contact support@shipwink.com.