Security & Data Controls

Calm, scoped, and audit-trailed.

ReturnGuard handles fashion return data the way an operations team expects: scoped to your workspace, gated by role, logged on every change, and never used to make a decision your team didn't authorize.

Workspace isolationRole-based accessFull audit trail
Folded cream knit sweater with kraft hangtag in warm natural light

Workspace isolation by default.

Every record — returns, customers, products, evidence — is scoped to the workspace that owns it. Row-level access rules enforce that boundary on every read and write.

Roles match how teams actually work.

Owner, admin, analyst, CX manager, ops manager, warehouse reviewer, and viewer. Each role unlocks the surfaces it needs and nothing more.

Every decision is logged.

Approvals, overrides, refund changes, recovery routing, rule edits, integration changes — recorded with actor, timestamp, and target. Exportable.

Compliance & certifications

Current attestations.

This page is maintained by ReturnGuard Labs LLC to answer common security and privacy questions about ReturnGuard. It reflects controls in the product today and attestations that have been issued in writing. It is not a substitute for an independent audit report.

SOC 2 Type I

SOC 2 Type I issued February 2025.

Scope includes the Dallas data center and the primary ReturnGuard SaaS application. Report available to enterprise customers under NDA on request to security@returnguard.net.

ISO 27001 · In progress

ISO 27001 certification pending final Q3 2026 audit.

ReturnGuard is preparing for ISO 27001 certification. We do not claim ISO 27001 certified status until the certificate is issued.

How your data is handled.

Plain language. The controls below describe what is in the product today.

Encryption
AES-256 at rest for the primary database and object storage. TLS 1.3 in transit for the application, APIs, and evidence uploads.
Access controls
Role-based access control (RBAC) is implemented across every workspace surface. Single sign-on (SSO) is supported via Okta and Azure Active Directory for enterprise workspaces. Optional two-factor authentication can be enforced at the workspace level. Sessions can be reviewed and revoked from inside the app.
Workspace isolation
There is no shared pool of return or customer data across brands or merchants. Row-level rules check workspace membership on every query — a member of one workspace cannot read or modify another workspace's records.
Role-based permissions
A single role matrix controls what each member can see and change: refunds, condition reviews, recovery routing, rules, integrations, billing, team management. Permissions are checked on the server, not just hidden in the UI.
Audit trails
Authentication events, role changes, refund approvals, score overrides, recovery routing, rule changes, integration connects, API key creation and revocation, exports, imports, workspace and billing changes — each captured with actor, target, and timestamp.
Data retention
Customer personally identifying information is retained for 7 years. System logs are retained for 90 days. Anonymized data used for model refinement is retained indefinitely. Workspace owners can request a shorter customer PII window under an enterprise agreement.
Integrations security
OAuth credentials and API tokens for verified integrations are stored as workspace-scoped secrets, never exposed to the browser. Webhooks are signed with rotating signing secrets. See the Integrations section for the current verified providers.
Fail-open mode
If verified integration API availability drops below 99.9%, ReturnGuard enters Fail-Open mode: all inbound returns are routed to human reviewers with a System Offline flag rather than being auto-decisioned. Reviewers keep authority for refunds, score overrides, and account status changes at all times.
Export & portability
Returns, products, customers, and reports can be exported as CSV from inside the app. Workspace owners can request a full export before cancellation or deletion.
Deletion
Workspace deletion permanently removes returns, customers, products, evidence files, audit entries, and team membership for that workspace, after a confirmation step.
Responsible AI

Recommendations are decision support — not final authority.

ReturnGuard can prepare and route decisions, but human reviewers control refunds, ReturnGuard Score overrides, and account status changes. Each recommendation shows the inputs that informed it and can be overridden with a recorded reason.

  • Automated actions allowed: marking a return as Under Investigation and triggering a Request Photo Evidence email to the customer.
  • Human-required actions: issuing a full refund, overriding a ReturnGuard Score, and updating account block-status.
  • Customers are described in operational terms — return frequency, mismatch signals, declared value — not character judgments.
  • Data is used for global model refinement only if the tenant Opt-Out flag is disabled. Personally identifying fields are hashed before any inclusion in training sets.
In preparation

What we are working toward.

Described as work in progress, not as issued attestations.

  • ISO 27001 certification, targeted for issuance after the Q3 2026 audit.
  • Customer-managed PII retention windows shorter than the 7-year default under enterprise agreements.
  • Expanded verified-integration coverage beyond the four launch partners.
  • Quarterly internal review of role matrix and audit coverage.
Contact security

Reporting a vulnerability or asking a security question?

Reach the security team directly. We aim to acknowledge reports within two business days.