🛡 Shipping Magento modules since 2019. 30-day refund, no forms.Browse modules
Security
Customer data, license keys, payment information. We hold all three. Here's how each is handled.
Card details never touch eTechFlow servers. Paddle, our merchant of record, renders a PCI-DSS Level 1 overlay where the visitor enters their card details. A tokenised reference is returned to us. We store the reference (so refunds are possible) but never the card.
Paddle handles global sales-tax compliance, fraud screening and chargebacks on our behalf — they sell software to your customer, we sell software to Paddle.
License keys are HMAC-signed at issue time using per-module secret fragments stored in our environment configuration. Keys validate against a public endpoint; the validation surface is rate-limited (60 req/min per IP, 30 req/min per key) and shape-validated before any HMAC computation.
Customer-facing license operations (rebind, revoke, regenerate) require authentication and are audit-logged.
Customer data lives in a self-hosted PostgreSQL cluster in the UK. Server-side encryption on the disk volume. Database connection over TLS. Daily encrypted backups with a 30-day retention window.
Access to the production database is restricted to a named list of engineers and audit-logged.
Every request to modules.etechflow.com goes over TLS 1.3. HSTS is enforced with a one-year max-age and the preload list. Cookies are SameSite=Lax + Secure on production.
CSP headers limit script execution to first-party + a short list of allowed third parties (Paddle, Resend, PostHog when consented).
Vulnerability disclosure
We welcome reports from good-faith security researchers. Disclose privately by email. We acknowledge within 24 hours and never pursue researchers acting in good faith.
security@etechflow.comFor data-subject access / erasure requests under UK GDPR see privacy@etechflow.com and our Privacy Policy.
