Security
Built so the worst case can't happen.
An AI that touches your customers' orders and your money has to be constrained by architecture, not by promises. Here is exactly how Suvenna is built: what isolates your data, what stops a bad refund, and what proves every action after the fact.
Tenant isolation
Your store's data is walled off at the database
Isolation isn't an application-code convention that a bug can route around. It's enforced by the database itself, on every query, for every table.
- Row-level security on every table. The database refuses to return another store's rows, even to a query that asks for them. Isolation holds regardless of what the application layer does.
- OAuth tokens are encrypted at rest. Your Gmail, Outlook, and Shopify credentials are stored encrypted and decrypted only at the moment of use, never held in plaintext.
- Identity-bound order access. Order lookups are bound to the verified customer's email, and chat-widget shoppers are identity-verified by Shopify itself. A shopper can only ever see their own orders. No order snooping, by construction.
Money safety
Money can't move without a human saying yes
Refunds, cancellations, and returns run through an engine guardrail that sits below the AI. It is not a setting. It cannot be prompted, configured, or coded around.
- Confirm-before-money, in the engine. Every money action requires explicit confirmation from the customer, and risky ones queue for one-click human approval. This gate lives in the engine core, where application code cannot disable it.
- Refunds are bounded at execution time. A refund is capped by the order's actual refundable amount at the moment it runs, not the amount someone asked for.
- Live actions default off, per store. Every live Shopify action ships disabled. Nothing touches a real order until you explicitly turn it on for your store.
- Double-execution is impossible. Each approval is claimed exactly once. Two agents clicking approve on the same refund produces one refund, not two.
Accountability
Every action leaves a record you can audit
Trust isn't just prevention. When something does happen, you can see exactly what, who, and when, and the record can't be edited after the fact.
- Append-only audit log. Every money action is written to a log that can only grow. Entries are never updated or deleted, so the history you audit is the history that happened.
- Full context on every entry. Who approved, what executed, against which order, for how much. The approval queue and the audit log tell the same story.
- Roles that match your team. Owner, admin, and agent roles keep configuration and money controls in the hands you choose.
Compliance certifications are on our roadmap as we scale; we'd rather show you the architecture than a badge.
Get priority access
Suvenna onboards in limited waves. Join the list and you're first in line for the next one, with founding-member pricing locked in.