Lesuto Chameleon

The E-Commerce as a Service Platform

SaaS gives you tools. EaaS does the work.

We handle the infrastructureinventory, payments, returns, and techso you can focus purely on your brand.

Security & Trust

Your data. Your customers. Protected.

Security is built into every layer of the Lesuto platform — from how we handle payments to how we isolate tenant data. We don't bolt on security as an afterthought. It's foundational.

See How We Protect You Compliance Roadmap
0
Security Layers (Defense in Depth)
0-bit
Bit Encryption (TLS 1.3)
0+
Permission Templates
0%
Multi-Tenant Isolation

Infrastructure Security

Enterprise-grade infrastructure by default

Your application runs on Google Cloud with Cloudflare in front. No servers to manage, no patches to apply, no SSH access to compromise.

Google Cloud Platform

Hosted on Google Cloud Run (us-west1) with Google-managed infrastructure, automatic scaling, and built-in DDoS protection. No servers to patch — Google handles it.

Encryption in Transit

All data encrypted via TLS 1.3 / SSL. Every API call, webhook, and dashboard session is encrypted end-to-end. No exceptions.

Encryption at Rest

Database and file storage encrypted at rest using Google Cloud's default encryption (AES-256). Your data is protected even on disk.

Cloudflare Protection

DNS, SSL, and tenant routing handled by Cloudflare with built-in Web Application Firewall and DDoS mitigation across the entire network.

Elasticsearch Security

Search indices isolated per deployment with access restricted to internal service accounts. No public access to search infrastructure.

Automated Deployments

CI/CD via GitHub Actions with no manual server access. Infrastructure is immutable — every deploy is a fresh container. No SSH, no shell access.

Payment Security

We never touch your card data

All payment processing is handled entirely by Stripe. Lesuto never stores, processes, or has access to raw card numbers. Period.

Stripe PCI-DSS Level 1

All payment processing handled by Stripe, the industry leader. Lesuto never stores, processes, or transmits raw card numbers. Stripe is PCI-DSS Level 1 certified — the highest level of payment security.

Stripe Connect

Supplier and merchant payouts via Stripe Connect Express accounts with full identity verification (KYC). Every payout recipient is verified before they receive funds.

Stripe Tax

Automatic tax calculation at checkout. Tax compliance handled by Stripe's certified tax engine — W-8BEN/W-9 forms, tax transactions, and reversals all managed programmatically.

3D Secure

Stripe's built-in fraud prevention with 3D Secure authentication for high-risk transactions. Additional layer of verification protects both merchants and customers.

Webhook Verification

All Stripe webhook payloads verified with cryptographic signatures before processing. No unsigned or tampered event can trigger any action in the system.

Application Security

Defense in depth — four independent layers

Every role, every route, every API call is permission-gated. If one security layer is bypassed, the others still hold. No single point of failure.

Role-Based Access Control

25 pre-built permission templates covering every combination of merchant, supplier, and staff access. Every API endpoint, every screen, every button is gated by granular permissions.

Four Security Layers

Server-side resolver guards, navigation permission overrides, client-side route interception, and channel picker restrictions. No single point of failure — if one layer is bypassed, the others still hold.

Multi-Tenant Data Isolation

Each business operates in its own channel with complete data isolation. Merchants cannot see other merchants' orders, customers, or products. Suppliers are isolated the same way.

API Access Control

All GraphQL API requests require authentication. Public endpoints are explicitly allowlisted. Rate limiting and request validation on all mutations prevent abuse.

Session Security

Secure HTTP-only cookies with SameSite protection. Cookie secrets rotated regularly. Login supports both email and username authentication with configurable strategies.

Data Privacy

Privacy is a feature, not an afterthought

We believe in minimal data collection and maximum user control. We only collect what's needed to process orders and manage accounts — nothing more.

No Automatic Emails

Users must explicitly opt in to receive any email notifications. Master toggle plus per-category controls — everything defaults to OFF.

Minimal Data Collection

We only collect what's needed to process orders and manage accounts. No tracking pixels, no invasive analytics.

No Data Selling

We never sell personal data to third parties. Your data is yours. Full stop.

User Control

Customers can request data access, correction, or deletion at any time. We support CCPA/CPRA rights today.

Read Privacy Policy

Our Privacy Commitments

  • Email notifications default to OFF
  • No third-party data sales
  • Stripe handles all payment data
  • Data deletion available on request
  • Cookie consent management

We will never send you emails unless you explicitly opt in. All notification preferences are controlled from your account settings.

Compliance Journey

Our compliance roadmap — honest and transparent

We're building toward formal certifications. Here's where we stand today and what's coming next. No false claims — just facts.

What We Do Today

Active security measures in production

  • Stripe PCI-DSS Level 1 (via Stripe — we never touch card data)
  • TLS 1.3 encryption on all connections
  • AES-256 encryption at rest (Google Cloud managed)
  • Multi-tenant data isolation per channel
  • 25 granular permission templates with defense-in-depth
  • CCPA/CPRA rights support (California privacy)
  • Email opt-in policy (no unsolicited emails)
  • Cloudflare WAF and DDoS protection
  • Immutable infrastructure (container-based, no SSH access)

What's Coming

Planned certifications and programs

  • SOC 2 Type II certification (planned)
  • GDPR formal compliance program (in progress)
  • ISO 27001 certification (future roadmap)
  • HIPAA readiness for medical equipment suppliers (future roadmap)
  • Penetration testing program (planned)
  • Bug bounty program (planned)

Transparency note: We do not hold SOC 2, ISO 27001, or HIPAA certifications today. The items in the "What's Coming" column represent our roadmap, not current capabilities. We rely on Stripe for PCI compliance and Google Cloud for infrastructure-level certifications.

Responsible Disclosure

Found a vulnerability? Let us know.

We welcome security researchers to report vulnerabilities responsibly. If you've found a security issue in the Lesuto platform, please reach out to us directly. We take every report seriously and will work with you to resolve it.

security@lesuto.com

Questions about security?

Contact our team at security@lesuto.com or review our Privacy Policy for detailed information about how we protect your data.

Contact Security Team