SAGE Security Practices
Effective 2026-07-14. SAGE by SIMCO and IndieCo Marketing are operated by SIMCO LLC, Minnesota.
Security contact: Robert Sims, Owner / Operator, SIMCO LLC, robbie@simcopaint.com. Monitored product mailbox: hello@indieco.shop.
Scope
This page documents the security practices used for SAGE connected-shop workflows, including OAuth integrations, customer-list workflows, owner-reviewed messaging, and planned financial-data workflows such as Plaid Link. It is intended to support customers, partners, and API provider security review.
Governance
- SIMCO LLC maintains a documented privacy policy, connection-specific data-use disclosures, and this security-practices page for connected-data workflows.
- New API-provider launches are reviewed against that provider's developer terms, OAuth scopes, data-retention limits, disconnect behavior, and reviewer demo requirements before broad owner use.
- Provider approvals, denials, reviewer requests, and remediation notes are tracked in a provider-action log so repeat issues are not handled from memory.
- Material changes to collected data types, sharing partners, or purposes require privacy-policy updates and owner notice before launch.
Access Control
- SAGE uses store-scoped authentication tokens and rejects cross-shop requests at authenticated routes.
- OAuth integrations use provider authorization screens, state tokens, redirect URI checks, and PKCE where the provider supports it.
- SAGE stores provider access tokens server-side and does not expose provider secrets in browser code.
- Passkey sign-in is available for owner accounts through WebAuthn, with single-use challenges that expire after five minutes.
- Before SAGE surfaces Plaid Link in production, the Plaid connection flow will require an authenticated owner/manager session plus passkey or equivalent MFA re-authentication.
- Disconnect endpoints remove stored provider tokens and, where supported, make a best-effort remote revocation call.
Encryption
- Production pages and API routes are served over HTTPS. The production service sends HSTS, no-sniff, referrer-policy, and permissions-policy headers.
- OAuth and API calls to providers use HTTPS endpoints.
- Runtime data is stored on the production hosting provider's encrypted-at-rest project storage. SAGE does not rely on client-side local storage for provider OAuth secrets.
- Application-level field encryption for future high-sensitivity data stores, including Plaid-derived production financial tokens, is treated as a launch-gate item before broad production rollout if provider review requires more than platform-level encryption at rest.
Vulnerability Management
- Provider-facing changes are tested with focused smoke checks before deployment and again against production health endpoints after deployment.
- Critical security defects that affect authentication, token handling, provider callbacks, or connected financial data are triaged immediately and targeted for remediation within 72 hours.
- High-severity dependency or framework issues are targeted for remediation within 14 days after confirmation; medium issues are reviewed in the normal release cycle.
- End-of-life runtimes or dependencies are reviewed during release work and replaced before they become a blocker for provider approval or production support.
Consent And Data Minimization
- Connected-service workflows begin with owner action in SAGE and a provider-hosted consent screen when OAuth is available.
- SAGE requests the narrowest scopes that support the visible owner workflow and separates higher-risk integrations into distinct OAuth clients where appropriate.
- Owner-approved actions are required before SAGE posts social content, sends a Gmail reply, sends a campaign, changes inventory, disconnects a provider, or deletes shop/customer data.
- For Plaid, SAGE will use Plaid Link for consent and will not collect bank credentials. Plaid-derived data will be used only for owner-visible business cash-flow and operations tasks unless a future policy update and consent flow state otherwise.
Retention And Deletion
- Active shop/customer records stay in SAGE only while needed for the requested shop workflow.
- Customer records can be hard-deleted from authenticated dashboard routes.
- Connected-service disconnect removes stored tokens from active SAGE systems; provider-specific rows are canceled, removed, or retained only for the limited operational periods disclosed in the privacy policy.
- Encrypted backup copies age out under the 30-day backup-retention schedule unless law requires longer retention.
Incident Response
- Suspected security issues should be sent to hello@indieco.shop or robbie@simcopaint.com.
- SIMCO LLC triages suspected issues, preserves relevant logs, disables affected credentials where needed, and notifies impacted providers or customers when required by law, contract, or provider policy.