INFORMATION SECURITY STATEMENT
Security, by default
TapuGezgini's information-security controls in production. This page describes the actual behaviour of the running system — not marketing. Updated same-day as new controls ship.
To report a security vulnerability: responsible-disclosure policy
Identity + access
Who can do what, and how it's verified
Multi-factor authentication (MFA)
TOTP-based MFA is required for all accounts holding a system role. WebAuthn supported; SMS backup codes operator-configurable. Backup codes stored bcrypt-hashed.
Password policy
Minimum 12 characters; leaked-password check via HIBP k-anonymity API; last 5 passwords cannot be reused; optional scheduled rotation.
Permission-based access (RBAC)
~52 permissions, 10 system roles + custom organisation roles. Resource-scoped permissions (own / organization / global). Permission set is cached on the session; invalidated instantly on role change.
Session management
32-byte opaque token (tg_sid cookie). 30-day rolling TTL, 90-day hard cap. Users can revoke all sessions instantly.
Brute-force lockout
Per-IP + per-email sliding-window rate limit (Redis). 5 failures = 1-minute lockout; 10 = 15 minutes; 20 = 24 hours + email alert.
Data protection
Encryption across the data lifecycle
Sensitive-field encryption (envelope, v2)
TC ID, provider access tokens, and MFA secrets are AES-256-GCM encrypted. Wire format: v2:keyId:iv:tag:ct — key rotation is continuous; rows encrypted under older keyIds are migrated to the current key by a background worker.
Storage encryption
AWS RDS encrypted (KMS); S3 objects server-side encrypted (SSE-S3); private bucket + signed-URL access for confidential files.
Transport encryption
All HTTP traffic over TLS 1.2+ enforced. HSTS enabled. Internal service-to-service traffic on a private network with IAM authentication.
Secrets management
All production secrets in AWS Secrets Manager. In-memory cache with a 5-minute TTL; rotation runbook is documented.
Audit + integrity
What happened, and how it can be proven
Tamper-evident audit chain (EG-34)
All AuditEvent records chain via SHA-256 hashes (eventHash + previousEventHash). Writes are serialised with pg_advisory_xact_lock. A daily verification automation checks chain integrity and raises a critical alert on any break.
Wide coverage
47 admin + 16 account endpoints emit AuditEvent. The hash chain protects 94+ call sites automatically. Severity escalation: info → notice → warning → alert.
Data retention policy
Retention policies are defined per resource type (contracts 7 years, sessions 30 days, etc.). Expired records are auto-deleted or scrubbed. The deletion itself is audited.
Application security
Reducing the attack surface
Rate limiting + CSRF + Idempotency
All write endpoints are rate-limited (per-IP + per-user). State-changing cross-origin endpoints verify a CSRF token. Payment + credit endpoints are retry-storm-safe via Idempotency-Key.
Polymorphic FK enforcement
Polymorphic tables (Notification, Order, CreditEntry, etc.) are enforced via check constraint to belong-to-exactly-one parent — no orphan records can be created.
PII scrub policy
On user-delete request, class-based scrub runs: legal records (contracts, audit) preserved; contact info, message contents, attachments scrubbed at end of retention.
Dependency security
Production dependencies are CVE-scanned. Critical findings are patched within 24 hours.
Independent audits, certifications
For our active audits and planned certifications, contact our security team. For enterprise customers we share pentest summaries and compliance documents on request.