Legal

Security at TuinApp

Security is a foundation, not a feature. This page summarises our current controls, our roadmap, and how to report a vulnerability. Last updated 27 May 2026.

Short version. Per-tenant database isolation, TLS 1.2+ everywhere, audit logs on every change, UK / EU data residency by default, 2FA for staff, vulnerability disclosure at [email protected] with a 24-hour first-response commitment.

1. Architecture

  • Per-tenant database isolation. Every customer workspace runs in its own database. Cross-tenant queries are impossible by design. Postgres row-level security (RLS) is a backstop, not a substitute.
  • Defence in depth. Cloudflare WAF and DDoS protection at the edge, application-level input validation and CSRF protection, query parameterisation (no string-concatenated SQL), strict Content Security Policy headers.
  • Identity isolation. Workspace, user and role records never cross tenant boundaries. SSO/SAML on Enterprise integrates with your IdP using OpenID Connect or SAML 2.0; SCIM auto-provisions and de-provisions.
  • Separation of marketing site and SaaS app. The marketing site (this domain) and the multi-tenant SaaS run on separate virtual hosts. A compromise of one does not give access to the other.

2. Encryption

  • TLS 1.2+ on every public connection. HSTS enabled with a six-month max-age and includeSubDomains.
  • Modern cipher suites only; legacy SSL and TLS 1.0/1.1 disabled.
  • Cloudflare-issued and Let's Encrypt certificates, auto-renewed.
  • Database encryption at rest via underlying storage encryption (Contabo).
  • Application-level encryption of sensitive fields (API tokens, OAuth refresh tokens, SSO secrets) using authenticated encryption with envelope keys.
  • Customer-managed encryption keys (BYOK) available on Enterprise.

3. Access control

  • For customers. Granular role-based access control (RBAC) at the workspace, group, and record level. 2FA via TOTP available to every user on every plan. Passkey login available. SSO/SAML/OIDC and SCIM on Enterprise.
  • For TuinApp staff. SSH key authentication only (passwords disabled). All access to production goes through a bastion. Least-privilege principle applied to every role. Hardware security key required for elevated permissions.
  • Audit logging. Every create, read, update, delete operation in the platform produces an audit record (actor, resource, before / after, IP, user-agent, time). Retention is one year on Pro, configurable up to seven years on Enterprise. Logs are append-only and signed.

4. Network and infrastructure

  • Production runs on a hardened Linux VPS (Contabo, EU) with Nginx in front, PHP-FPM and application servers behind. No services exposed to the public internet other than HTTP/HTTPS and SSH (key-only, non-default port, fail2ban).
  • Cloudflare provides DDoS protection, rate limiting and Web Application Firewall rules tuned for the application.
  • Outbound email travels over authenticated SMTP to Brevo with SPF, DKIM and DMARC alignment on the sending domain.
  • Daily off-site, encrypted backups of CSV form data and (once live) the multi-tenant databases. Backup restoration is tested at least quarterly.

5. Data residency

Customer data is stored in the European Union by default. Enterprise customers can pin residency to the UK, an EU region, or another supported region; once data is pinned it stays in that region for storage and processing, except for transient operational tasks that are documented in the DPA.

6. Compliance roadmap

We do not claim certifications we do not yet hold. Our roadmap is:

Framework Status Target
UK GDPR / EU GDPRIn effectContinuous
Cyber Essentials PlusIn progressQ3 2026
SOC 2 Type IIControls being implementedQ1 2027 (report covering Q3-Q4 2026)
ISO/IEC 27001:2022Gap analysis completeQ3 2027
EU AI Act conformityDocumentation in progressQ4 2026 (before EU AI Act enforcement window)
NYC Local Law 144 (hiring AI)Bias audit framework readyActive before any US Customer goes live

7. Vulnerability disclosure

We welcome reports from independent security researchers. If you have found a vulnerability, please email [email protected] with a description, reproduction steps, and your contact details.

Our commitments:

  • First response within 24 hours (business days; best effort on weekends).
  • Triage and severity assessment within 72 hours.
  • Coordinated disclosure: we work with you on a reasonable timeline before any public write-up.
  • Public credit (or anonymity if you prefer).
  • No legal action against good-faith research that respects user privacy, avoids destructive testing, and uses only test or your own accounts.

A formal bug-bounty programme launches alongside the SaaS general availability; details to follow.

8. Reporting an incident

If you believe your TuinApp account has been compromised, or you have received a suspicious email claiming to be from us, please email [email protected] immediately. Include any relevant headers and screenshots. Do not forward attachments.

9. Carina AI: safety by design

Carina runs with a clear separation between drafting actions (no human approval needed) and material actions (always human-approved). Prompt-injection defences include strict tool authentication, per-tenant scope on every tool call, and an approval queue for any reversible-or-not action that touches a customer, a contract, money, or a deletion. Carina sessions log every tool call to the tenant audit log, redactable on request.

10. Contact and PGP

Security and incident response: [email protected]. Procurement and questionnaires (SIG, CAIQ, Vendor Risk Assessments): [email protected].

For sensitive reports, encrypt your message to our PGP key. Algorithm: Ed25519 / Cv25519. Expires: see key for current date.

Fingerprint

1243 721C 16BC 801D BEE3 E55D 905C 8CD2 8731 3F82

Download public key Verify on keys.openpgp.org

Verify the fingerprint locally: gpg --import security.asc && gpg --fingerprint [email protected]. The output must match the fingerprint above.

Last updated: 27 May 2026.