Security and trust — Docs — AgenticCart
AgenticCart
Docs Trust & security Security and trust

Security and trust

AI shopping assistant security in AgenticCart: merchant accounts, tenant-scoped catalog data, hosted chat SSL, and a clear shared-responsibility model.

AI shopping assistant security in AgenticCart is built on a simple trust model: protect merchant accounts, scope catalog data to each merchant, secure hosted chat domains with HTTPS, and keep shopper conversations separated between merchants. This page covers the AgenticCart security model, what is protected, where merchant responsibilities begin, and how to request a DPA or report a vulnerability.

The AgenticCart security model for AI shopping agents

AgenticCart hosts conversations on merchant-controlled domains, reads from merchant-controlled catalog sources, and is paid for through Stripe. That shape informs every security decision: tenant data stays scoped to the merchant account, no raw card data ever touches AgenticCart, and the hosted chat always runs over TLS. The model is documented transparently so evaluators can reason about it end to end — see the platform architecture page for how the pieces fit together.

What AgenticCart protects

  • Merchant accounts — protected sign-in, password reset, and dashboard sessions. For the account-level controls, see account and sign-in.
  • Catalog data — products, collections, AI sales agents, and settings are scoped to the merchant account.
  • Hosted chat domains — custom domains are connected through DNS and served over HTTPS with managed SSL once verification completes.
  • Billing — card entry, storage, and invoices are handled entirely by Stripe-hosted pages; AgenticCart never sees raw card details.
  • Shopper conversations — conversations belong to the merchant experience where they happen and are not cross-shared with other merchants.

Hosted domain security

Your AI sales agent runs on a domain you own, such as chat.yourbrand.com. You add the DNS record in your provider, AgenticCart verifies the target, and managed SSL is provisioned before the hosted chat is ready for live shoppers. All production traffic to the hosted chat flows over TLS; HTTP requests are redirected to HTTPS by default.

For the DNS and SSL walkthrough, see hosted chat domain. For how AgenticCart confirms you control the domain before issuing certificates, see domain verification.

Merchant control and configuration

  • You choose which catalog source AgenticCart reads from — WooCommerce plugin or product feed URL.
  • You choose which products each AI sales agent can recommend, by curating collections.
  • You choose the agent tone, guidance, and objective, and the hosted chat domain the agent runs on.
  • You choose where to link the hosted chat from your store, ads, and campaigns.
  • You control DNS, SSL trust, and domain ownership — AgenticCart never holds your registrar credentials.

Shared responsibility: AgenticCart vs you

AgenticCart handles

  • Hosted chat application delivery and platform uptime.
  • Managed SSL provisioning once DNS is configured correctly.
  • Merchant account protections — password rules, session cookies, abuse throttling.
  • Catalog and agent scoping so merchant data stays in its own tenant boundary.
  • Stripe-hosted billing flows so card data never reaches AgenticCart servers.

You handle

  • Protecting your storefront admin accounts, WooCommerce logins, and DNS provider account.
  • Keeping your ecommerce platform and catalog source accurate and up to date.
  • Adding the exact DNS records AgenticCart shows during domain setup.
  • Reviewing the hosted chat on a real URL before sending live shopper traffic.
  • Maintaining your own privacy notice, cookie notice, and shopper consent requirements.

Privacy, DPA, and vendor review

If you need a Data Processing Addendum, vendor-security review documentation, data residency details, or other procurement material for your AI shopping assistant evaluation, contact AgenticCart before launch so the current security packet can be shared through the right channel. AgenticCart acts as a data processor for the catalog and conversation data you route through it; your privacy notice governs how shoppers are informed.

Reporting a vulnerability

If you believe you have found a security issue in AgenticCart, email security@agenticcart.ai with enough detail for the team to reproduce it — affected URL or feature, reproduction steps, impact, and any proof-of-concept artifacts. Please avoid public disclosure until AgenticCart has investigated and shipped a fix.

Frequently asked questions

Is my catalog data isolated from other AgenticCart merchants?
Yes. Catalog data, AI sales agents, collections, and settings are scoped to your merchant account. Other AgenticCart merchants cannot see or query your products, conversations, or configuration.
Does AgenticCart handle GDPR and a DPA?
AgenticCart will sign a Data Processing Addendum on request and can share the current vendor-security packet for evaluator review. Contact the team before launch so the paperwork is in place before shopper data starts flowing through your hosted chat.
Who is responsible for storefront admin security?
You are. AgenticCart secures its own merchant dashboard and hosted chat, but it cannot protect your WooCommerce admin, marketplace back office, or DNS provider account — those stay in your control and should be protected with strong passwords, MFA where available, and limited access.
Does the hosted AI chat run over HTTPS?
Yes. Every hosted AI shopping chat on a custom domain runs over TLS with managed SSL after DNS verification completes. HTTP requests are redirected to HTTPS by default so shoppers never land on an unencrypted version of the page.
Does AgenticCart store credit card information?
No. All billing goes through Stripe-hosted checkout and customer portal pages. AgenticCart only receives subscription state from Stripe; it never receives or stores raw card numbers, CVC values, or expiry dates.
How do I report a security issue in AgenticCart?
Email security@agenticcart.ai with reproduction steps, affected URL or feature, and impact. Please avoid public disclosure while the issue is being investigated so shoppers and other merchants are not exposed in the meantime.

Next steps

Platform architecture

See how the AgenticCart platform is designed for merchant trust.

Domain verification

Prove you control the domain before an agent goes live.

Hosted chat domain

Set up DNS and managed SSL for the hosted AI agent.

Account and sign-in

Review account-level security protections and password rules.

Plans and billing

Review subscription options and Stripe-managed billing.