Loading…
Tagible is built compliance-first. This page documents how we host, encrypt, and govern customer data, and how to reach the security team.
Last reviewed May 2026. Material changes posted to the blog.
Where Tagible runs and where your data lives.
Application + Postgres + storage all live in Frankfurt, EU. AI inference uses EU-region endpoints. We never transfer customer data outside the EEA without an adequacy decision or your explicit SCC opt-in.
Supabase Pro project in eu-central-1. Row-Level Security on every tenant table. Daily automated backups with point-in-time recovery.
Photos + PDFs + exports on R2 EU. Pre-signed URLs only; no public-bucket access. 83% cheaper egress than Supabase Storage; the savings go into uptime headroom.
How data is protected in transit, at rest, and in backups.
TLS 1.2+ on every endpoint. HSTS preload, secure cookies, SameSite=Lax minimum. Cipher suite restricted to AEAD ciphers (ChaCha20-Poly1305 + AES-128-GCM).
Postgres + R2 encrypted with AES-256-GCM via the provider. Application-level encryption (envelope, AES-256-GCM) on the sensitive-data columns flagged in the schema (OAuth refresh tokens, signing-secret caches).
PITR plus daily logical dump. Backups encrypted with the same key set. 30-day retention; longer windows available on Enterprise.
Who can see what + how every mutation is provable.
Supabase Auth (email/password + Google + Apple). Optional TOTP 2FA on every account; AAL enforcement blocks AAL1 sessions when MFA factors exist. Magic-link inspector + whistleblower flows for external readers.
6 roles (owner / admin / manager / member / viewer / requester). Per-table RLS policies. Plan limits + module gating enforced server-side; UI hints are advisory.
Every mutation hash-chained with SHA-256 via a Postgres BEFORE-INSERT trigger. Owners can run the verify-chain endpoint to prove integrity end-to-end. Tamper-evident by design — UPDATE + DELETE policies on the audit table return false even for the service role.
Time-bound, scope-restricted magic-links (org-wide / site / template / qr_code / date_range). Read-only on every public-inspector endpoint. Token bcrypt-hashed; plaintext shown once on creation.
Third parties that process customer data on our behalf. Updates announced at least 14 days before they take effect; current customers can object via support@tagible.io.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Database + auth + storage | EU (Frankfurt) |
| Vercel | Application hosting | EU (Frankfurt) |
| Cloudflare R2 | Media CDN | EU |
| Cloudflare Turnstile | Bot defense on public endpoints | EU |
| Stripe | Subscription billing + EU VAT | EU (with US fallback) |
| Resend | Transactional email | EU |
| Anthropic + OpenAI | AI inference (template gen + translation + officer digest) | EU-region endpoints |
| Sentry | Error reporting | EU |
| PostHog | Product analytics (PII-free) | EU |
| FCM + APNs | Mobile push (native shell) | Google / Apple |
Article 30 records of processing maintained internally. DPA available on Growth+ plans — email legal@tagible.io to request a counter-signed copy.
Whistleblower module ships a compliant channel: anonymous reporting, 7-day ack, 90-day substantive response, signed quarterly attestations.
Digital Product Passport module emits JSON-LD compatible with the consortium spec. Printable PDF and CIRPASS-format exports on every passport.
Targeted for 2027. Controls mapped against the standard today (access control, audit logging, encryption, vendor management); formal certification follows once revenue supports the auditor cycle.
How to reach the security team.
Email security@tagible.io with a vulnerability report. We acknowledge within 24h on business days. Confirmed reports get an attribution in the changelog (with consent) and, where the impact warrants it, a thank-you bounty.
Use our PGP key (fingerprint published soon) for sensitive findings. Until that lands, contact us first and we'll provide an alternative encrypted channel.
Email legal@tagible.io for procurement materials (DPA, SCC, sub-processor list, pen-test summary). We typically turn these around in two business days.