Account security
- Passwords are hashed with industry-standard work-factor algorithms — we never store them in plain text.
- Sensitive actions (changing payout details, exporting data) require a one-time code sent to your registered email.
- Sessions auto-expire after a period of inactivity, and you can sign-out remote sessions from your account page.
Payment security
- Card payments are processed through PCI-DSS-compliant gateways (SSLCommerz). SGT Cart never stores raw card numbers.
- All payment-page traffic is TLS-encrypted end-to-end.
- Suspicious payment patterns trigger automated review before funds are released.
Platform security
- Production servers are isolated behind a reverse proxy with HSTS, modern TLS, and rate-limited public endpoints.
- Internal access is least-privilege, MFA-enforced, and logged.
- Backups are encrypted at rest and tested regularly for restorability.
Report a vulnerability
Security researchers, please email security@sgtcart.com with a proof-of-concept and your contact details. We commit to:
- Acknowledging within 2 business days.
- A safe-harbour for good-faith research that doesn't impact other users.
- Public credit (if you'd like) after the fix ships.