Security & Trust at Smart Merchandiser

What’s in scope

The audit covers Smart Merchandiser Version 4 (SM4ALL), the SaaS platform our customers use today. The system is browser-based and hosted on Amazon Web Services. The legacy IBM Cloud version is in the final stages of decommissioning.

Principal service commitments

The following commitments are made to our customers through Master Service Agreements and Service Level Agreements, and are reflected in the audited system description.

Security

Protection of system resources and customer data through administrative, logical, and technical controls:

• Role-based access control (RBAC)
• Multi-factor authentication (MFA) for all production access
• Encryption of data in transit and at rest
• Enforcement of least privilege access
• Continuous security monitoring

Availability

• 99.95% contractual uptime commitment
• Multi-availability-zone (Multi-AZ) deployment
• Serverless architecture for elastic scaling
• Content delivery optimization via Amazon CloudFront
• AWS CloudWatch monitoring with alerting on anomalies

Confidentiality

• Encryption mechanisms applied throughout
• Restricted access controls (least privilege + RBAC)
• Zero-copy architecture — customer catalog data is read on demand from the source ecommerce platform, processed transiently, and returned without persistence
• Secure data handling procedures

Processing Integrity

• Real-time API-based data retrieval from source systems
• Minimal transformation — limited to merchandising-position logic (product-ordering values for display)
• Automated and rules-based processing controls
• Monitoring and validation procedures

Privacy

Privacy is explicitly out of scope for the SOC 2 examination because the system does not process personal data beyond minimal user-authentication metadata. This is by design: our AI does not need customer PII to deliver merchandising outcomes.

Subservice organizations and shared responsibility

We rely on a small set of subservice organizations for cloud infrastructure and platform services. The audited system description identifies these dependencies and notes that complementary subservice-organization controls — and complementary user-entity controls — are necessary alongside our own controls to achieve our service commitments. This shared-responsibility model is standard for SaaS audits.
Primary subservice organizations:

• Amazon Web Services (production hosting, us-east-1)
• Auth0 / Okta (Smart Merchandiser customer authentication only — not staff identity)
• Upstash Redis (cache layer)
• Atlassian Cloud / Bitbucket (internal collaboration and source control)
• Google Workspace (Zobrist staff productivity — not customer data)

Vulnerability and patch management

We maintain a continuous vulnerability scanning and remediation program with tiered SLAs:

• Critical findings: remediated within 7 days (most recent program data: 424 prior Critical findings remediated within 3 days)
• High severity findings: remediated within 30 days
• As of the Type 1 as-of date: 0 open Critical findings; High severity findings under active remediation against the 30-day SLA

The Vulnerability & Patch Management Policy is reviewed annually and was most recently re-issued (v1.2) in May 2026.

Backups and continuity

• DynamoDB Point-in-Time Recovery (35-day window) provides continuous incremental backup
• Per-environment weekly snapshots to dedicated S3 backup buckets in us-east-1
• Business Continuity and Disaster Recovery plans documented and approved (T-5.2 evidence; approved February 2026)
• Cross-region replication is not currently implemented; the residual region-level outage risk is formally accepted per documented risk acceptance (CEO approval March 2026, evidence T-94.1)