Legal
Security
Last updated:
May 16, 2025
Security of Tapflow
Every day, hundreds of people build, launch, and sell products on Tapflow.
Your work is valuable, and we strive to ensure that your privacy and data are never compromised.
Below are the core measures we have in place. Need something custom? Talk to us about enterprise security options.
Compliance
Tapflow is committed to meeting or exceeding the security requirements defined by global regulations such as GDPR and CCPA.
We continuously assess our posture and engage third‑party auditors to verify that our controls and processes remain effective.
(Certification details will be shared with Enterprise customers as they become available.)*
Data Security
All Tapflow services are hosted in Amazon Web Services (AWS) facilities in the United States.
Workloads are distributed across multiple AWS availability zones—physically separate data centers that safeguard against single‑site failures.
For more, see the AWS Cloud Security Center.
Data classification
Tapflow classifies the data we create and maintain into three tiers:
Confidential – customer and personal data
Internal – Tapflow operational data not meant for public disclosure
Public – marketing material and content on tapflow.co
Encryption at rest
We use AWS‑managed data stores—PostgresDB, ElastiCache, S3—for primary data and backups.
All are configured with AES‑256 encryption at rest.
Secrets & key management
Secrets live in AWS Systems Manager Parameter Store and are encrypted with AWS KMS.
Access is granted on a least‑privilege basis and managed by the Tapflow infra team.
Environment separation
Production, staging, and development networks are fully isolated.
Product Security
Secure development
Tapflow practices continuous delivery, shipping to production dozens of times per day.
All code changes go through pull requests and peer review.
Dependabot keeps dependencies up‑to‑date.
Static analysis (Code Climate) flags quality or security issues early.
Sentry tracks runtime errors; a SIEM stack monitors logs and events across the fleet.
External testing & bug bounty
We run regular third‑party penetration tests and a private bug‑bounty program.
Findings are triaged and remediated by the security team.
Interested researchers can request an invite by following our disclosure guidelines.
Infrastructure & Network Security
Transport security
TLS 1.2+ everywhere—between internal services and out to the public internet.
HTTP Strict Transport Security (HSTS) is enforced and all production domains are on the preload list.
External attack surface
Only public apps and APIs are exposed to the internet.
Everything else is internal‑only, reachable via VPN or SSO proxy and continuously monitored for changes.
Segmentation & monitoring
We employ a multi‑account AWS strategy to separate prod, staging, logging, security, and marketing domains.
VPCs, security groups, NACLs, and subnets provide additional boundaries.
Centralized logging and CloudTrail feed into automated anomaly detection, with 24 × 7 SOC oversight.
Organisational Security
Security training – mandatory for all new hires; annual refreshers for everyone; deep‑dive sessions for engineers.
Asset inventory – real‑time tracking of networks, services, servers, and employee devices.
Least‑privilege access – customer data access requires explicit approval, is logged, and is continuously audited.
Incident response – defined playbooks for triage, investigation, and communication; external SMEs on call when needed.
Operational Security
Backups & DR
Customer data is stored redundantly across availability zones; backups are encrypted and tested every 30 days.
Endpoint security
All employee laptops are centrally managed (MDM), with full‑disk encryption, firewalls, automatic patches, and remote‑wipe capability.
Risk management
Tapflow performs periodic risk assessments to ensure that policies, tooling, and practices keep pace with the threat landscape.
See something? Email hi@tapflow.co with a repro and impact assessment.
Legal
Security
Last updated:
May 16, 2025
Security of Tapflow
Every day, hundreds of people build, launch, and sell products on Tapflow.
Your work is valuable, and we strive to ensure that your privacy and data are never compromised.
Below are the core measures we have in place. Need something custom? Talk to us about enterprise security options.
Compliance
Tapflow is committed to meeting or exceeding the security requirements defined by global regulations such as GDPR and CCPA.
We continuously assess our posture and engage third‑party auditors to verify that our controls and processes remain effective.
(Certification details will be shared with Enterprise customers as they become available.)*
Data Security
All Tapflow services are hosted in Amazon Web Services (AWS) facilities in the United States.
Workloads are distributed across multiple AWS availability zones—physically separate data centers that safeguard against single‑site failures.
For more, see the AWS Cloud Security Center.
Data classification
Tapflow classifies the data we create and maintain into three tiers:
Confidential – customer and personal data
Internal – Tapflow operational data not meant for public disclosure
Public – marketing material and content on tapflow.co
Encryption at rest
We use AWS‑managed data stores—PostgresDB, ElastiCache, S3—for primary data and backups.
All are configured with AES‑256 encryption at rest.
Secrets & key management
Secrets live in AWS Systems Manager Parameter Store and are encrypted with AWS KMS.
Access is granted on a least‑privilege basis and managed by the Tapflow infra team.
Environment separation
Production, staging, and development networks are fully isolated.
Product Security
Secure development
Tapflow practices continuous delivery, shipping to production dozens of times per day.
All code changes go through pull requests and peer review.
Dependabot keeps dependencies up‑to‑date.
Static analysis (Code Climate) flags quality or security issues early.
Sentry tracks runtime errors; a SIEM stack monitors logs and events across the fleet.
External testing & bug bounty
We run regular third‑party penetration tests and a private bug‑bounty program.
Findings are triaged and remediated by the security team.
Interested researchers can request an invite by following our disclosure guidelines.
Infrastructure & Network Security
Transport security
TLS 1.2+ everywhere—between internal services and out to the public internet.
HTTP Strict Transport Security (HSTS) is enforced and all production domains are on the preload list.
External attack surface
Only public apps and APIs are exposed to the internet.
Everything else is internal‑only, reachable via VPN or SSO proxy and continuously monitored for changes.
Segmentation & monitoring
We employ a multi‑account AWS strategy to separate prod, staging, logging, security, and marketing domains.
VPCs, security groups, NACLs, and subnets provide additional boundaries.
Centralized logging and CloudTrail feed into automated anomaly detection, with 24 × 7 SOC oversight.
Organisational Security
Security training – mandatory for all new hires; annual refreshers for everyone; deep‑dive sessions for engineers.
Asset inventory – real‑time tracking of networks, services, servers, and employee devices.
Least‑privilege access – customer data access requires explicit approval, is logged, and is continuously audited.
Incident response – defined playbooks for triage, investigation, and communication; external SMEs on call when needed.
Operational Security
Backups & DR
Customer data is stored redundantly across availability zones; backups are encrypted and tested every 30 days.
Endpoint security
All employee laptops are centrally managed (MDM), with full‑disk encryption, firewalls, automatic patches, and remote‑wipe capability.
Risk management
Tapflow performs periodic risk assessments to ensure that policies, tooling, and practices keep pace with the threat landscape.
See something? Email hi@tapflow.co with a repro and impact assessment.