Security Overview

At Taptic Data, LLC, security is a core product feature. Below is a concise view of how we protect customer data: architecture & isolation, encryption, access controls, network posture, backups, vulnerability management, and incident response.

1) Architecture & Data Isolation

  • Cloud: AWS-hosted. Core services include Amazon RDS (PostgreSQL) and Amazon S3.
  • Multi-tenant isolation: Per-company database schemas prevent cross-tenant access.
  • App layers: Next.js frontend + FastAPI backend. Firebase Auth for identity; server-side authorization on every request.

2) Encryption

  • In transit: TLS/HTTPS enforced for all client and service traffic.
  • At rest: Cloud-managed encryption for databases and object storage.
  • Secrets: Environment-scoped credentials; restricted runtime access.

3) Authentication & Access Control

  • Identity: Firebase tokens validated by the backend.
  • Authorization: Server-side mapping enforces company schema, plan limits, and permissions.
  • Least privilege: Internal admin access gated by MFA and role-based controls.

4) Network & Infrastructure Security

  • Perimeter: Only required ports exposed; admin surfaces restricted and audited.
  • Vendors: Stripe (billing), Firebase (auth), SES (email) via secure vendor endpoints.
  • Observability: Logs/metrics support anomaly detection and investigations.

5) Backups & Disaster Recovery

  • Backups: Database backups with point-in-time recovery per policy.
  • Object storage: Versioning and lifecycle policies on S3.
  • Restore drills: Periodic restoration tests validate recoverability.

6) Vulnerability Management

  • Dependencies: Rolling updates to third-party libraries and containers.
  • Secure development: Code review, env separation, and guardrails against cross-schema SQL.
  • Hardening: Regular OS/runtime/infrastructure updates.

7) Incident Response

  • Detection: Monitoring and alerting for disruptions and security events.
  • Communication: Updates via email and in-app banners; post-mortems for high-severity incidents.
  • Breach notification: Prompt notice with scope, impact, and remediation details.

8) Data Residency & Transfers

Customer data is stored and processed in the United States. If international transfers apply, we rely on appropriate safeguards consistent with applicable law.

9) Sub-processors

  • AWS – database, storage, hosting, SES transactional email
  • Firebase – authentication & identity
  • Stripe – billing & payments

All sub-processors operate under written agreements with confidentiality and security obligations.

10) Compliance Roadmap

We align operations with industry best practices and continually improve controls. Priorities include tighter access governance, expanded audit logging, and vendor risk reviews appropriate to our stage.

11) Responsible Disclosure

If you believe you’ve found a vulnerability, email security@tapticdata.com with steps to reproduce. We acknowledge valid reports and work promptly to resolve issues.

Related Policies & Contacts

Security FAQ

Where is my data stored? In AWS (United States): Amazon RDS for PostgreSQL and S3 for objects.

How is tenant data separated? Per-company database schemas, plus server-side authorization checks.

Do you encrypt data? Yes—TLS in transit and cloud-managed encryption at rest.

How do I report a security issue? Email security@tapticdata.com with steps to reproduce.

Effective Date: November 2025