How we guard your data.
Trama holds two things that matter: the platform credentials that let us read your store, and the API keys that let your storefront talk to us. Below is the posture we maintain around each — at the level of detail a security reviewer would expect, without revealing what doesn't need revealing.
Platform credentials are encrypted at rest.
OAuth tokens and connection secrets for every supported platform — Wix, Shopify, Webflow — are encrypted with modern, authenticated symmetric encryption before they reach storage. Encryption keys live in environment-isolated key material, never in source, never in logs, never returned in API responses.
Ciphertexts are versioned so encryption keys can be rotated without re-encrypting historical data. After a rotation, older ciphertexts continue to decrypt with their original key until they're naturally rewritten on the next credential refresh.
Secrets are scrubbed from every log line, every error response, and every analytics event before transit. Raw platform errors are normalized to a stable Trama error code before they ever reach a client — we don't leak upstream details to your customers.
Every tenant is structurally isolated.
Tenant isolation is enforced at the database level using Postgres row-level security. Every request runs inside an authenticated tenant context, and that context is the only path through which any tenant-scoped data can be read or written. A query without a valid tenant context returns nothing — by design, not by convention.
Every layer of the Bridge enforces the same tenant boundary. There is no shared surface that bypasses isolation, and there is no operational shortcut that lets one tenant's data leak into another's response.
The only cross-tenant signal we maintain is fully anonymized, aggregated mapping pattern statistics — used to improve connector accuracy for everyone. No customer-identifying information is part of those aggregates, and no tenant's data is ever exposed to another tenant in any form.
Two authentication surfaces, strictly separated.
Your storefront → the Bridge. Your storefront talks to Trama using API keys sent in a custom header. Production and test keys are prefixed and visually distinct, so they're easy to audit at a glance. We only ever store a one-way hash of the key — never the raw value. If a key leaks, you rotate it; nothing in our database can be used to reconstruct the original.
Dashboard → internal services. Your dashboard session uses short-lived access tokens (15 minutes) plus an httpOnly refresh cookie scoped only to the dashboard origin. Internal control routes require this session — they cannot be reached with an API key, period.
Platform OAuth tokens are exchanged out-of-band during project setup. Your platform credentials never transit through the SDK or your storefront — only the Bridge holds them, and only the Bridge talks to the upstream platform on your behalf.
Per-tenant, per-plan, enforced at the edge.
Every Bridge request is rate-limited by tenant according to your plan's RPM and monthly quotas. Requests over the limit return HTTP 429 immediately — they don't consume backend resources, they don't flow through to upstream platforms, and they don't affect other tenants.
Upstream platform calls are guarded by per-platform circuit breakers. When an upstream gets flaky, we fail open to your customers using safe responses instead of cascading the outage — so a Wix, Shopify, or Webflow blip doesn't turn into a storefront blackout.
Every input is validated against a strict schema at the request boundary, and request bodies are capped to a small fixed size. Anonymous tool endpoints (e.g., the public mapping playground) are IP-rate-limited to deter abuse without forcing authentication on people who are just trying things out.
Managed primitives. No homegrown crypto.
Primary data lives in managed Postgres in the EU region with encrypted backups. We do not run self-hosted databases and we do not export production data to developer machines. Access to the production environment requires SSO + MFA for every operator.
All outbound HTTP from the Bridge — site analysis, webhook delivery, anything that touches a URL — runs through an internal client that blocks internal IP ranges, cloud metadata endpoints, and dangerous URL schemes. This applies to every connector and every tool that takes a URL as input.
We use no client-side crypto we wrote ourselves. All symmetric encryption, JWT verification, and password hashing are built on Node's standard cryptomodule and well-audited libraries. Password policy is enforced upstream by our managed identity provider.
Found a vulnerability? Tell us first.
If you believe you have found a security vulnerability in any Trama product, please email security@gotrama.com with reproduction steps. We acknowledge reports within 24 hours and aim to triage within 48.
Please do not publicly disclose the issue until we've had a chance to investigate and patch. We don't run a paid bounty programme today, but we credit responsible reporters by name (with permission) in our release notes and advisories.
Out of scope: social engineering of Trama employees, denial-of-service via volumetric flood, vulnerabilities in third-party platforms we connect to (Wix, Shopify, Webflow — report those directly to the platform), and findings that require physical access to a customer's device.
Your levers.
- ·Rotate API keys at any time from your dashboard. Old keys revoke instantly; the one-way hash is the only thing we ever held.
- ·Revoke platform OAuth from your Wix, Shopify, or Webflow dashboard at any time. The next Bridge call fails fast — no stale token can outlive your decision.
- ·Scope your keys by environment. Use test keys in CI and staging, production keys only in production. They are first-class separate keys, not a feature flag — and they look visually different so they're hard to mix up.
- ·Audit access from the dashboard — every key's most recent request timestamp and IP is surfaced. Anomalies are visible to you, not just to us.
If anything on this page is unclear, or you need a written security review for procurement, email security@gotrama.com. We respond to all procurement questionnaires within five business days.