Victava — Security & trust

You connect your store. We stay read-only.

Victava reads from your Stripe account, your Shopify store, your helpdesk, your inbox, and your carriers to win disputes. It holds no power to refund, edit, or move money on any of them — and it files nothing without your approval. Every commitment below is described in plain terms, exactly the way we'd walk you through it.

Read-only by design. We can't move your money.

Connecting Victava means giving an outside tool access to your store, helpdesk, inbox, and carriers. That is a real decision, so here is the exact shape of what we can — and can never — do with it. On every connected data source we hold read-only scopes with no refund or write capability. The single place we can write is submitting the Stripe evidence you have personally approved.

Stripe
Payment processor
We read: Disputes, charges, customer history, 3DS / AVS / CVC results, Radar signals, network reason codes.
We can never: Issue refunds, payouts, or transfers. The one write we make is submitting the evidence you approved.
Shopify
Store & order data
We read: Orders, fulfillment status, tracking numbers, prior-purchase history.
We can never: Edit orders, issue refunds, or touch store admin. Read-only.
Helpdesk & email
Zendesk · Gorgias · Gmail
We read: The customer's support thread tied to the disputed order.
We can never: Send, edit, or delete messages, or read mail unrelated to the dispute. Read-only.
Carriers
FedEx · UPS · USPS
We read: Delivery scans, signed proof of delivery, address-of-record match.
We can never: Any account-level or write access.

Why we lead with this. In January 2026, a competing chargeback tool was breached, and attackers used its standing access to issue unauthorized refunds from connected merchant stores. Victava is built so that attack cannot reach your money: we request no refund, payout, or write access on any connected data source, and the one write we can make — submitting Stripe evidence — is explicitly enumerated, automatically enforced, and blocked until you approve. See the exact Stripe write set and the approval gate.

Least-privilege & encrypted secrets

On every data source we connect — Shopify, your helpdesk, your inbox, your carriers — we hold read-only access with no refund or write power. Every credential lives in an encrypted vault, never in a customer-readable record.

Vault →
Read-only access →

Per-account isolation & hardening

Strict per-account data isolation means a misconfigured query can't reach another customer's data. Industry-standard browser-security protections are enforced across the whole app. Privacy disclosures aligned with GDPR and CCPA.

Data isolation →
Security config →

You approve, and it's all logged

The system physically cannot submit to Stripe without your approval — built into how it works, not a feature flag. Every credential read, query, and submission is logged and traceable to its source.

Approval gate →
Audit logging →

Encrypted vault for third-party credentials

Your Stripe, Shopify, Zendesk, Gorgias, Gmail, and carrier connection credentials live in an encrypted vault. The plaintext credential never touches a regular data table; only an encrypted reference is stored.

Credentials are decrypted only inside the server-side step that needs them — never cached, never broadcast, never logged. Even an attacker with full read access to our data tables gets an encrypted reference, not a usable credential. The vault is the single place credentials live.

Strict per-account data isolation

Every record that holds your data — disputes, evidence items, audit history, integrations — is locked to your account at the database level.

A misconfigured query cannot return another customer's data from a user-facing path. Privileged internal access is restricted to trusted, automated steps where your account is identified by a verified source (a signed Stripe event, the secure connection flow, and similar).

Hardened browser-security configuration

We enforce industry-standard browser-security protections: a strict content policy, forced HTTPS with a one-year retention, clickjacking and content-type protections, and integrity checks on any third-party script we load.

These protections are applied uniformly across the whole app — there is no per-route override that could silently weaken them.

Stripe permissions — exactly what we can do

Stripe grants connected apps either read-only or read-write access. Victava requests read-write because submitting evidence to the bank requires a write. But that write set contains exactly one capability — submitting the dispute evidence you approved. It includes no refund, payout, transfer, or customer-data-write permission. Every Stripe action we can take is listed below, and our checks block any new write from shipping unless it is added to this list.

Stripe permissions — what Victava can and cannot do

stripe.disputes.updatePer dispute · merchant-approved
Submits the evidence packet you approved in the review wizard. Fires exactly once per dispute, only after explicit merchant approval at the HITL waitpoint. Idempotency-keyed on (dispute_id, draft_id).
Cannot create, capture, refund, or modify charges. Cannot close a dispute without evidence. Cannot resubmit after an outcome is final.
merchantStripe.files.createPer file · at submission
Uploads a single evidence file (PDF/image/text) to Stripe storage with purpose='dispute_evidence' so the disputes.update call can reference it. Fires once per file at submission time.
Cannot upload files with any other purpose. Cannot read, list, or delete files belonging to other Victava customers or to your account outside dispute_evidence.
stripe.refunds.createOpt-in only · default OFF
When Stripe sends an early fraud warning (EFW) and you have explicitly enabled Auto-Refund Rules with an amount cap and daily limit, Victava issues a single refund for the flagged charge with reason='fraudulent'. Default is OFF — no refund fires unless you opt in.
Cannot refund any charge that did not trigger an EFW. Cannot exceed your configured per-refund amount cap or per-day count limit. Cannot refund the same EFW twice (idempotency-keyed on efw_id).
merchantStripe.refunds.createPer inquiry · on your click
When you click 'Issue a refund' on an early inquiry (a pre-chargeback warning), Victava refunds that one charge with reason='requested_by_customer' so the inquiry resolves before it becomes a chargeback and no dispute fee is owed. Fires only on your explicit click, after a confirmation dialog.
Cannot refund a charge that is not an active inquiry (a real chargeback is rejected, so you can never double-pay). Cannot refund without your confirmation. Cannot issue a second refund for the same inquiry (idempotency-keyed on dispute_id).

What Victava cannot do

· Cannot create or capture new charges on your account.
· Cannot initiate transfers or payouts.
· Cannot read or modify connected bank accounts.
· Cannot read or modify your Stripe team, role, or permission settings.
· Cannot disable or weaken any Radar fraud rule.
· Cannot modify your platform fee, subscription, or pricing configuration.

Mandatory human approval on submission

After evidence is gathered, evaluated, and a rebuttal is drafted, the process stops at an approval gate and physically waits until you click approve in the dashboard.

Every claim in that rebuttal is traced to the exact source it came from — the Stripe charge, the Shopify order, the carrier's delivery record. A fact that can't be sourced is dropped, not guessed, and fabricated IDs are rejected. Removing the approval gate would require a code change, a code review, and a deploy. There is no setting that bypasses it. Auto-submit can't exist as an option; it would have to be rebuilt.

Audit logging and monitoring

Every credential read, evidence fetch, draft, and submission writes a structured audit entry tied to your account and the specific dispute, so you can reconstruct exactly what Victava did on your accounts and when. Nothing the system touches is off the record.

Errors and activity are continuously monitored, and every action is correlation-tagged so we can trace any incident end to end. Production incidents are tracked publicly in this page's incident history, and we commit to disclosing material customer-impacting incidents within 7 calendar days.

Least-privilege, read-only access to your data sources

Shopify, your helpdesk (Zendesk, Gorgias, Gmail), and your carriers connect as read-only data sources. We request the minimum read access needed to pull dispute evidence — orders, fulfillment, tracking, the support thread, delivery scans — and nothing that can refund, cancel, edit, or send. There is no write or money-movement capability on any of them.

Every one of those connections lives in the same encrypted vault as our other credentials, never in a customer-readable record. Tokens rotate on each provider's schedule, and access tokens are not retained beyond what the secure connection requires.

Incident history

Material customer-impacting incidents are disclosed here within 7 calendar days, with a remediation summary.

Zero reportable incidents to date.

We will not retroactively edit this section. Future entries append with date, summary, and remediation.

Responsible disclosure

If you believe you've found a security issue, email security@victava.com. We commit to acknowledging within 2 business days and to a coordinated disclosure timeline. We do not currently publish a PGP key — please use a TLS-encrypted email client.

Run the audit. See the architecture in action.

Connect Stripe and Shopify in 90 seconds. Every step the audit takes — every credential read, every query — is logged under the same read-only, per-account-isolation, and encrypted-vault constraints described above.

Run my free leak audit See live win rate