Section 01
Our posture
Ongoing is built on public ecommerce signals, production-grade infrastructure, and clear operational controls. We design our systems to protect customer accounts, organization settings, billing relationships, API access, and the infrastructure that powers our Shopify ecosystem data.
Most of the data Ongoing indexes is public storefront, app, technology, and ecosystem data. The most sensitive information we protect is the private data associated with your account: authentication, billing, organization membership, API keys, saved configuration, and product usage.
We do not overstate our security posture. This page describes the controls currently in place, the platforms we rely on, and the areas where formal certifications are still on the roadmap.
Section 02
Infrastructure
Ongoing runs on managed infrastructure providers with production security baselines, isolation, backups, and operational monitoring.
- Application — Laravel Cloud for web, queues, scheduler, and workers.
- Marketing site — Vercel for static hosting and edge delivery.
- Database — DigitalOcean Managed Postgres with automated backups and point-in-time recovery.
- Object storage — DigitalOcean Spaces for raw collection artifacts and operational outputs.
- Sibling services — isolated microservices for collection, detection, and enrichment. Cross-service access requires authenticated secrets and is never anonymous.
We separate customer-facing application infrastructure from collection and enrichment services where practical, reducing unnecessary exposure between systems.
Section 03
Data protection
- In transit. TLS 1.2+ is required on public surfaces, including the marketing site, dashboard, API, and MCP server.
- At rest. Managed database storage and object storage use platform-provided encryption at rest.
- Secrets. Application secrets, API keys, and cross-service tokens are stored in managed platform secret stores and are not committed to source control.
- Payments. Payments and subscriptions are processed by Stripe. Ongoing does not see or store full card numbers.
- Passwords. Passwords are hashed using a modern adaptive hashing algorithm and are never stored in plain text.
- Data minimization. Ongoing’s product is designed around public ecommerce and technology signals. We avoid collecting private merchant, customer, or shopper data unless it is required to operate the service.
Section 04
Access control
- Least privilege. Production access is limited to authorized personnel and scoped to the systems required for operational work.
- Multi-factor authentication. MFA is enforced on critical production platforms, including cloud providers, payment systems, and source control.
- Organization scoping. Ongoing accounts authenticate users. Organizations own subscriptions, data access, configuration, and membership permissions.
- API keys. API keys are scoped to an organization and can be revoked individually.
- Service-to-service access. Internal services authenticate with scoped secrets. Anonymous cross-service access is not permitted.
Section 05
Logging & monitoring
Ongoing logs application requests, queue activity, job failures, authentication events, and production errors. Error tracking and uptime monitoring run continuously, with notifications for production regressions and operational failures.
Logs and telemetry are retained on a rolling window measured in months. This retention period is designed to support investigation, debugging, abuse prevention, and incident response while limiting unnecessary long-term exposure.
Section 06
Vendors
The vendors below are part of how Ongoing delivers the Service. Where applicable, they process data under their respective data-processing terms, security terms, or service agreements. We select infrastructure and operational vendors based on reliability, security maturity, and suitability for production workloads.
- Stripe — payments and subscriptions.
- Vercel — marketing-site hosting and edge delivery.
- Laravel Cloud — application hosting, queues, scheduler, and workers.
- DigitalOcean — managed Postgres, object storage, and compute.
- Google Analytics — aggregate traffic measurement on the marketing site.
- Sentry — error tracking and production incident notification.
- Anthropic and OpenAI — model providers used to enrich, classify, and summarize substrate inputs.
Section 07
Compliance
Ongoing is not currently SOC 2, ISO 27001, or HIPAA certified.
We do not claim certifications, attestations, or regulatory coverage that we do not hold. Instead, we publish our current controls, describe our vendors, and maintain a practical security program appropriate for the product and the data we process.
As customer requirements evolve, we expect to pursue formal security attestations where they create meaningful value for customers and improve our internal operating discipline.
For data-protection roles, privacy choices, and data-handling details, see our Privacy Policy. For terms governing access to and use of the Service, see our Terms of Service and Acceptable Use Policy.
Section 08
Responsible disclosure
If you believe you’ve found a security vulnerability in Ongoing, please email security@ongoing.ai with a description and reproduction steps. We’ll acknowledge receipt within two business days.
We ask that you:
- Give us a reasonable window to triage and fix the issue before public disclosure.
- Avoid accessing data that is not yours.
- Avoid modifying production data.
- Avoid denial-of-service testing.
- Use the vulnerability only to verify and responsibly report the issue.
Ongoing does not currently operate a paid bug bounty program, but we appreciate good-faith security research and credit researchers who report issues responsibly.
Section 09
Contact
Security questions: security@ongoing.ai
Legal or privacy questions: legal@ongoing.ai
General inquiries: use the contact page.