Workspace data isolation
Each Customer operates inside a workspace. Workspace data is logically isolated at the database layer through workspace-scoped row-level security policies. A query made by a user in workspace A cannot return rows from workspace B, regardless of what the application code requests.
File storage uploaded inside a workspace (item photos, exports) is namespaced by workspace and access-controlled by signed URLs that expire.
Processing roles
For account and workspace data of ReturnGuard users, ReturnGuard Labs LLC is the controller. For end-customer, order, product, and return data that a Customer imports into its workspace, the Customer is the controller and ReturnGuard processes that data on the Customer's instructions.
The instructions ReturnGuard processes data under are: (a) the Terms of Service, (b) configuration the Customer makes inside the workspace, and (c) any signed data processing agreement between the parties.
Categories of data and data subjects
- Workspace users — name, work email, role, authentication metadata.
- End customers of the brand — name, email, shipping address, order and return history.
- Operational data — return cases, refund decisions, condition assessments, recovery routes, internal notes.
- Item content — product images, uploaded inspection photos.
Security measures
- AES-256 at rest for the primary database and object storage; TLS 1.3 in transit for the application, APIs, and evidence uploads.
- Role-based access control across every workspace surface. Single sign-on supported via Okta and Azure Active Directory for enterprise workspaces.
- SOC 2 Type I issued February 2025, scoped to the Dallas data center and the primary SaaS application. ISO 27001 certification pending Q3 2026 audit — not certified.
- Retention: customer PII 7 years; system logs 90 days; anonymized data used for global model refinement retained indefinitely.
- Workspace-scoped row-level security in the database, audited by automated linters on every migration.
- Two-factor authentication available for all user accounts; required for staff accounts.
- Least-privilege production access for staff, time-bound credentials, and audit logs of administrative actions.
- Encrypted backups on a rolling 30-day retention window.
- Dependency and container scanning on every build.
- Coordinated vulnerability disclosure: security@returnguard.net.
Subprocessors
ReturnGuard relies on a small number of subprocessors to operate the service. The current list, including provider, purpose, region, and data category, is maintained at /legal/subprocessors. We notify workspace owners by email before adding a new subprocessor that handles personal data.
International transfers
Where data is transferred across borders to a subprocessor, ReturnGuard relies on standard contractual clauses or another recognized transfer mechanism, and on the security measures described above.
Data deletion and export
Workspace owners can export their workspace data at any time from the Data Export settings. On termination of a workspace, data is available for export for up to 30 days, then deleted from primary systems. Encrypted backups expire on a rolling 30-day cycle.
Individual deletion requests for workspace users can be served from in-app settings. End-customer deletion requests are fulfilled by the controller (the Customer brand); ReturnGuard provides tools to remove or anonymize specific customer records on request.
Sub-incident response
If ReturnGuard becomes aware of a personal data breach involving workspace data, we will notify affected workspace owners without undue delay and provide the information needed for the controller to meet its own notification obligations.
Support contact
Procurement, security, and DPA questions go to support@returnguard.net. Vulnerability reports go to security@returnguard.net.
These pages describe how ReturnGuard operates today. They are written in plain language for our customers and are not legal advice. For contractual questions, contact support@returnguard.net.