ShopSherpaShopSherpa
Join waitlist

Trust center

Security

ShopSherpa is a security product, so trust has to be earned. This page explains the security principles behind the product, what is already in place, what must be finished before launch, and how to report a vulnerability.

Last updated: May 14, 2026

Least access

ShopSherpa should ask for the smallest set of browser, email, and payment permissions needed to protect users.

Local first where possible

Scam checks should run locally when they can. If a server check is needed, the request should be limited to the specific signal being checked.

No quiet trust me

Warnings should explain the reason: spoofed domain, risky seller pattern, suspicious checkout link, or phishing signal.

Sensitive features need stronger controls

Password Vault and Masked Cards should not launch broadly until encryption, access controls, logging, and incident response are ready.

Responsible disclosure

Found a security issue?

Please report it before making it public. Include the affected page or feature, steps to reproduce, impact, and screenshots or proof-of-concept details if safe to share.

Report security issue

Current controls

  • HTTPS everywhere for the public site and product APIs.
  • Stripe-hosted checkout for Plus pre-orders.
  • Supabase-backed waitlist storage with restricted project access.
  • Minimal retention for logs that are not needed for product safety or debugging.
  • Human review before adding high-risk integrations such as inbox access, vault storage, or masked-card flows.
  • A responsible disclosure inbox at hello@shopsherpa.org.

Before public launch

  • Publish browser extension permission notes before public launch.
  • Document data flows for Free, Plus, Phishing Shield, Password Vault, and Masked Cards.
  • Add a dedicated security.txt file before launch.
  • Run extension permission and dependency reviews before browser-store submission.
  • Complete a third-party review before any password vault or card-masking feature handles real sensitive data.

Important product boundary

ShopSherpa helps reduce risk. It does not guarantee safety.

Scammers change tactics constantly. ShopSherpa is designed to flag suspicious patterns and give shoppers a second set of eyes before they pay, but no security product can promise to catch every scam, phishing email, fake review, or malicious seller.