Security

Last updated: May 2026

Our customers' data security is at the core of the product. We run on modern cloud infrastructure, with encryption at every layer, automatic backups, and strict access controls.

1. Encryption

• Transport: all traffic is encrypted with TLS 1.3 (HTTPS). No unencrypted traffic.
• Storage: all data — DB, files, backups — is encrypted at rest with AES-256.
• Secrets: API keys, passwords, and tokens are stored in an encrypted vault (AES-256-GCM with a separate master key per tenant).

2. Customer Isolation (Multi-tenancy)

Every customer receives a dedicated PostgreSQL schema with full isolation. There is no shared data between customers. Queries run against a fixed search_path scoped to the tenant's schema, with defense-in-depth tenant_id enforcement on every row.

3. Backups and Recovery

• Daily automatic backup of DB + user files
• The 30 most recent backups are retained per customer
• Backups are stored off-site, separate from the main server
• RTO (recovery time objective): under 4 hours
• RPO (maximum data loss): under 24 hours

4. Access Control

• Two-factor authentication (2FA) available for all users
• Passwords stored using bcrypt cost 12
• JWT with refresh tokens, short expiry
• Vault passphrase (master key) is fully isolated — not recoverable, even by Tamit
• Role-based access controls in the Backoffice (admin / user)

5. Monitoring and Logs

• Centralized logs of every API action
• Real-time monitoring of errors, suspicious login attempts, and performance
• Self-check on every server startup — if critical routes are missing, this is logged immediately
• Nightly smoke tests — daily automated contract checks between modules

6. Compliance and Standards

We comply with the principles of the Privacy Protection Law (Israel) and GDPR. Our guidelines for handling customer data are documented in our Data Processing Addendum.

7. Security Incident Reporting

If you discover a security vulnerability, please report it by email to [email protected]. We commit to an initial response within 48 hours and to remediation of critical vulnerabilities within 7 days.

8. Bug Bounty Program

We plan to launch a formal bug bounty program soon. In the meantime, responsible security researchers will receive public credits and symbolic rewards.

9. Service Termination

When a trial or subscription is cancelled, your data is retained for an additional 30 days in a closed state (for recovery purposes), and then permanently deleted. You can export everything to a JSON file from the dashboard before deletion.

10. Questions?

Our security team is available at [email protected] or via WhatsApp.