Security at RetailNorthstar.
Customer planning data — your assortments, vendor commitments, financial targets — is sensitive. The way we protect it is built into the product, not bolted onto it.
This page summarizes our controls, compliance posture, and operational practices. Procurement and information-security teams can request our security questionnaire responses, control documentation, and SOC 2 readiness status under NDA.
Six areas where we have explicit controls and documented practices.
Data protection
- Customer data encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Application secrets managed in a dedicated secrets vault with rotation.
- Backups encrypted, tested for restore, and retained per contractual terms.
- Production data never used in development or testing environments.
Access management
- Single sign-on via SAML 2.0 supported on Business and Enterprise plans.
- SCIM provisioning for automated user lifecycle management.
- Role-based access controls at department, season, and capability scope.
- Multi-factor authentication required for administrator accounts.
Application security
- Code reviewed before merge; static analysis on every pull request.
- Dependency scanning for known CVEs in third-party libraries.
- Penetration testing by an independent third party on an annual cadence.
- Vulnerability disclosure program — see contact details below.
Infrastructure & operations
- Hosted in tier-1 cloud regions with redundant availability zones.
- Network segmentation between application tiers and customer data stores.
- Continuous monitoring and centralized log aggregation with retention.
- Documented incident response plan with defined escalation paths.
Compliance posture
- SOC 2 readiness in progress — controls aligned to the Trust Services Criteria; formal Type II audit not yet complete.
- GDPR — Data Processing Addendum available for EU customers; see DPA page.
- CCPA — privacy rights and disclosures documented in our Privacy Policy.
- Customer security questionnaires supported; reasonable evidence provided under NDA.
Privacy & data handling
- Customer data is processed solely to deliver the service contracted.
- Sub-processors disclosed in the DPA and updated as the list evolves.
- Data subject access, correction, and deletion supported within statutory windows.
- Data residency options on Enterprise plans where required.
Common questions from security and procurement teams
Is RetailNorthstar SOC 2 certified?
Not yet. We have implemented controls aligned to the SOC 2 Trust Services Criteria — covering security, availability, and confidentiality — and we are progressing toward a formal Type II audit. Until that is complete, we share our control documentation and security questionnaire responses under NDA via your sales contact, and we are happy to discuss the certification timeline during procurement review.
Where is customer data stored?
Customer data is stored in tier-1 cloud regions selected for proximity, redundancy, and regulatory fit. Default residency is US; EU residency is available on Enterprise plans for customers with data-localization requirements. Backups remain in the same region as the primary data store.
Who has access to our data inside RetailNorthstar?
Access to customer data is limited to a small number of operations and support engineers, controlled by role-based access policies and audited via centralized logs. Customer support requires an explicit support request from a customer admin before any access to production data; ad-hoc access is not permitted.
How do we report a security issue?
Send disclosures to security@retailnorthstar.ai. We acknowledge receipt within two business days, validate the report, coordinate disclosure timing, and credit reporters where appropriate. Sensitive details can be PGP-encrypted on request.
How does the platform handle data deletion at end of contract?
On contract termination or written request, customer data is removed from production systems within 30 days and from backups within the backup retention window (typically 90 days). A signed data-deletion attestation is provided on request.
Security and compliance, honestly stated.
Request our security questionnaire responses, DPA, and SOC 2 readiness documentation through your sales contact — or schedule a security review during the demo.
Connected apparel planning — live in weeks, not quarters.