Back to Tootela

Security

Tootela is the operating system for your business. Trust is the only thing that matters. Here's how we earn it.

Last updated 2026-04-25
Bottom line. Data is encrypted in transit and at rest. EU-resident by default. Hosted on hardened infrastructure (Vercel + Supabase). No customer content used to train AI. Found a vulnerability? Email security@tootela.net : we respond within one business day.

Overview

We treat security as a product feature, not a checklist. The goal: make doing the right thing easier than doing the wrong thing, both for our team and for our customers. This page describes our current controls. We update it as we ship.

Encryption

In transit

All connections to Tootela are protected with TLS 1.2 or higher (typically TLS 1.3). Modern cipher suites only. HSTS is enforced with a 12-month max-age. We use HTTP/2 and HTTP/3.

At rest

Customer data is encrypted at rest with AES-256. Database disks, backups and object storage are all encrypted by the underlying provider, with keys managed by them on AWS-grade KMS. Sensitive fields (passwords, OAuth tokens, payment instruments) get an extra application-level encryption layer using AES-256-GCM with rotated keys.

Passwords

Passwords are never stored in clear. We use bcrypt with a cost factor that follows OWASP guidance (currently 12). We don't impose silly password rules : we check passwords against the Have I Been Pwned breach corpus and refuse known-compromised entries.

Authentication

  • Multi-factor authentication available for all users : TOTP and WebAuthn / passkeys.
  • Single sign-on (SSO) via SAML 2.0 and OIDC available on Enterprise plans (Google Workspace, Microsoft Entra, Okta, etc.).
  • Session management : short-lived access tokens (1h), refresh tokens with rotation, automatic invalidation on password change or suspected compromise.
  • Magic links and email verification on all registrations.
  • Brute-force protection : exponential rate-limiting, CAPTCHA after repeated failures, account lockout for sustained attacks.

Access controls

  • Inside the app: role-based access control (admin, member, guest), row-level security at the database level so a workspace can never see another workspace's data, granular per-app permissions.
  • Inside Tootela: production access is limited to a small group of engineers, granted via short-lived, audited credentials. Every production access requires MFA. Access is reviewed quarterly.
  • Background checks for engineers with production access.
  • Endpoint security: company laptops are encrypted (FileVault / BitLocker), require strong passwords, lock after 5 minutes, and run EDR.

Infrastructure

Tootela runs on a small, intentional stack:

  • Application: Next.js, deployed on Vercel's edge platform. Serverless, auto-scaled, DDoS-protected at the edge.
  • Database, auth, storage: Supabase. Postgres with row-level security as the primary trust boundary. Default region: eu-west-3 (Paris, France).
  • Email: Resend, with SPF/DKIM/DMARC enforced.
  • Payments: Stripe. Card data never touches our servers.
  • AI features: Google Gemini and Anthropic Claude APIs, on paid tiers that contractually do not train on inputs. AI is opt-in per workspace.

Every dependency has a written DPA covering GDPR. Production environments are fully separated from staging and development.

Data handling

  • Residency: EU by default. Enterprise customers can request other regions.
  • Backups: automatic, daily, encrypted. Point-in-time recovery up to 7 days. Retained 35 days.
  • Deletion: when you delete a record, it is soft-deleted in app for 30 days, then hard-deleted from the live database. Backups are overwritten on rotation.
  • Export: one-click full export of your workspace data in standard formats (JSON, CSV, ZIP for files).
  • Customer Content separation: data from one workspace cannot be queried from another. Enforced at the database row level, not at the application layer.
  • No training on customer data. Content you put into Tootela is never used to train our models or any third-party model.

Secure development

  • Code review: every change goes through pull-request review before merging to production.
  • CI/CD: automated tests, type checks and security scans on every commit (Snyk for dependencies, GitHub CodeQL for static analysis).
  • Secret management: secrets live in Vercel and Supabase environment variables, never in the codebase. Rotated regularly.
  • Dependency hygiene: automated weekly upgrade PRs, manual review for transitive risk.
  • Threat modelling: for new features that handle sensitive flows (auth, payments, sharing).

Monitoring & logging

  • Application logs: structured, redacted (no PII in logs by default), retained 30 days.
  • Audit logs: every privileged action (admin login, role change, export, integration toggle) is logged and visible to workspace admins on Business and Enterprise plans.
  • Uptime monitoring: external probes from multiple regions, on-call rotation, status updates published in real time.
  • Anomaly detection: automated alerts on unusual access patterns, failed-login spikes, error-rate jumps.

Incident response

We follow a documented incident response plan with severity levels, communication templates and post-mortems. If a security incident affects you, we'll inform you without undue delay (GDPR: within 72 hours of becoming aware) with what happened, what data was involved and what steps we're taking. Post-mortems for major incidents are published on the status page.

Compliance

  • GDPR: compliant. See our Privacy Policy and DPA.
  • EU data residency: default. EU subprocessors only when possible; for non-EU subprocessors, EU Standard Contractual Clauses (SCCs) plus supplementary measures.
  • SOC 2 Type II: in progress. Expected reporting period starts in 2026. We can share status under NDA.
  • ISO 27001: on our 2027 roadmap.

If your procurement team needs a security questionnaire, send it to security@tootela.net and we'll turn it around quickly.

Responsible disclosure

If you believe you've found a security vulnerability in Tootela, please report it to security@tootela.net. Include enough detail to reproduce and, if possible, a proof of concept. We commit to:

  • Acknowledge your report within one business day
  • Provide an initial assessment within five business days
  • Keep you updated on remediation progress
  • Credit you (or keep you anonymous, your choice) once the issue is fixed

Please do not exploit the vulnerability beyond what's needed to demonstrate it, do not access data that isn't yours, and don't run automated scans on production. Acting in good faith protects you under our safe-harbour policy.

Out of scope: denial-of-service attacks, social engineering of our staff, physical attacks, vulnerabilities in third-party services we depend on (report those to the vendor).

Questions?

Reach our security team at security@tootela.net. PGP key available on request.