We hold your inventory and your money. The platform is engineered like that's true — append-only ledgers, mandatory two-factor auth, tenant isolation enforced top to bottom.
Every query is scoped to your vendor identifier across the service, controller, database trigger, and continuous-integration test layers. Cross-tenant requests return a 404 response; the existence of other vendor accounts is never disclosed.
Wallets, ledgers, and audit logs are enforced as append-only at the database layer. The sum of ledger entries reconciles to the wallet balance on a nightly basis. No record is ever modified or deleted, including by USA Errands personnel.
Passwords are hashed with Argon2id. Multi-factor authentication secrets are encrypted with AES-256-GCM. Session tokens are stored as SHA-256 hashes. Every registration is screened against the Have I Been Pwned breach corpus, and all responses are protected by Helmet, a strict Content Security Policy, and HSTS preload.
Time-based one-time passwords (RFC 6238) are required at initial login. Refresh tokens rotate on each use, and any replay attempt revokes the entire session family. Transactions above $500 require step-up re-authentication, and repeated failed login attempts trigger an exponential lockout.