A small service is best evaluated by the record it leaves behind. Every change to the service, every internal review, every incident lands here in the order it happened. Nothing is rewritten after the fact.
Removed a quietly forgotten fallback that could have used Loomaru-side credentials in place of a merchant's own. Every signing secret and platform access token is now issued, held, and revocable by the merchant; if a credential is missing or invalid the system fails closed rather than improvising. The behavior now matches the public Merchant Control Protocol promise word-for-word.
Operational logs are held for seven days, with layered controls that keep personal data out of them in the first place: a primary filter drops disallowed fields at the source before a log line is written, and a second filter at the destination acts as defense-in-depth. Shopper PII is not stored anywhere, at any time — the policy now says so in writing, with the operational mechanics that back the claim.
Operational playbook for handling shopper data-subject requests under GDPR — right of access, right to erasure. Defines our role as a GDPR Article 28 processor, a five-working-day internal turnaround comfortably inside the law's calendar-month controller window, and a ready-to-paste response template merchants can adapt for the shopper.
Two improvements, both invisible to merchants. The response sent for missing-versus-malformed store configuration is now unified so an outside observer cannot tell whether a given store is enrolled — closing a common reconnaissance vector. A fast-path rejection of malformed signatures means a flood of obviously-invalid requests can no longer pin our compute.
Every outbound call to an external ad-platform API now carries a strict timeout. If the upstream has a slow day we back off in seconds rather than holding background work open; the merchant's downstream dashboards see the same thing they would have seen, but our team gets a faster signal to investigate.
Review covered application security, edge runtime hardening, privacy posture, and software supply chain. Reviewers were instructed to assume nothing and find everything; findings were sorted into severity tiers and every customer-impacting item was fixed in the same week. A small set of internal follow-ups (credential rotations, dashboard tweaks) is tracked on a published schedule. Zero customer-impacting findings remain open.
Four-tier review across the public surface — focus rings, skip links, semantic landmarks, reduced-motion preference honored on every animated surface, and body-text contrast validated against WCAG 2.1 AA. Regressions are now guarded at build time so the baseline cannot silently drift.
The public-facing link now points to /book, a thin server-side redirect. Resolves the scheduling-vendor URL at click time instead of publishing it in every page's HTML. Reduces public fingerprinting without changing the booking flow for the reader.
A new public page explaining, in merchant-first terms, the control contract we hold regardless of which ad platforms a store runs. Platform-agnostic by design; linked from the site footer.
How this page works
Technical detail is kept off this page on purpose — a public log shouldn't double as a map for attackers. For full depth or our sub-processor list, email vadim@loomaru.com.