Trust & Safety

Answers for your InfoSec review.

We sit in your <head> and watch 80+ vendors on every page. That is a serious position to hold, so the controls below are written for the reviewer who has to sign off on us.

# tls 1.3 wire · aes-256 disk · region-locked · rls everywhere
# where_your_data_runs

Workloads run on Google Cloud with hard region isolation in Europe (europe-west1), United States (us-central1), and Asia Pacific (asia-south1). Each tenant picks a region at signup. Events hitting that region’s endpoint stay there for storage and query. Everything is TLS 1.3 on the wire and AES-256 on disk.

# infrastructure_security

What sits between us and the public.

Encryption in transit.

TLS 1.3 on every connection. HSTS on every domain. Certificates handled by Cloudflare and Google, so nothing expires on our watch.

Encryption at rest.

AES-256 on every BigQuery table and Supabase PostgreSQL row. API keys land in the database as bcrypt hashes, never as plaintext.

DDoS protection.

Cloudflare Enterprise sits in front of everything. Every API endpoint is rate-limited. The in-page script has its own flood guard.

Network isolation.

Cloud Run services run in isolated containers behind a VPC perimeter. Databases are not reachable from the public internet.

Access control.

Role-based access. Clerk JWT authentication. API keys are workspace-scoped. No shared secrets between tenants.

Audit logging.

Every API request is logged. Admin access to production is logged and reviewed. Logs are retained for 90 days.

# compliance_and_certifications

What we’re certified for, and what’s next.

GDPR (EU) 2016/679
DPA, sub-processor commitments, and 72-hour breach notification in place
✓ active
DPDP Act 2023 (India)
Pseudonymised sessions, children_mode flag, and consent tracking for Indian traffic
✓ active
CCPA / CPRA (California)
GPC signal detection, deletion rights, no sale of personal data
✓ active
PCI DSS 6.4.3 & 11.6.1
Script allow-list with SRI and change detection on payment pages
✓ active
SOC 2 Type II
Audit against Security, Availability, and Confidentiality trust service criteria
in progress
ISO 27001
Information security management system
planned 2026

Data isolation.

Every customer’s data is fenced off by tenant_id at every layer. BigQuery enforces it at the row level, Supabase enforces it through RLS policies, and Cloud Run middleware refuses to serve a request that crosses the boundary. Even if a URL leaked, another tenant could not pull your events out.

API keys are prefixed with td_live_ and scoped to a single workspace. A key issued for one domain will not read another domain’s data inside the same account unless you grant it explicitly.

Responsible disclosure.

Found something that looks wrong? Tell us and we will fix it:

  • Email [email protected] — or follow the contact in /.well-known/security.txt (RFC 9116)
  • Include a description, reproduction steps, and likely impact. PGP / GPG-encrypted email is fine; ask for the key
  • We acknowledge within 48 hours, complete triage within 7 days, and aim to ship fixes for Critical findings within 30 days
  • No legal action against good-faith researchers acting under this policy, period

In scope: tagdrishti.com, *.tagdrishti.com, the published SDKs, and our open-source plugins. Test against your own workspaces only — please do not attempt to access another tenant’s data, run automated scanners against production, or test denial-of-service.

Out of scope: social engineering of staff, physical attacks, missing security headers without a working exploit, version-disclosure bugs without proof of impact, and findings already known to us (we’ll tell you if we’ve seen it).

A paid bounty is not live yet, so today the rewards are credit and gratitude: serious findings get a named entry in our hall of fame, an acknowledgement on next year’s SOC 2 report, and our genuine thanks. As we grow, the programme will move to a real bounty (we’ll publish that here when it does).

Incident response.

If customer data is ever affected by an incident, this is what happens:

  • Affected customers are notified within 72 hours of us becoming aware of the breach
  • The notice covers the nature of the breach, the data affected, the steps we have taken, and what you should do next
  • Where GDPR requires it, the relevant supervisory authority is notified as well
  • A post-incident analysis and remediation report lands within 30 days

Sub-processor security.

Every sub-processor we use is contractually bound to controls equivalent to ours:

  • Google Cloud Platform: ISO 27001, SOC 2, PCI DSS Level 1
  • Supabase: SOC 2 Type II, hosted on AWS
  • Cloudflare: SOC 2 Type II, ISO 27001, PCI DSS
  • Paddle: PCI DSS Level 1 certified Merchant of Record, handles global tax + subscription billing
  • Resend: SOC 2 Type II

Security questions.

For security questions, audits, or enterprise security reviews, write to [email protected] and a human will respond.

tls 1.3 · aes-256 · region-locked · rls everywhere

Get your InfoSec review through in days.

DPA, sub-processor list, and an honest answer to every question your reviewer will ask. Email [email protected] or start the trial; the documentation is the same either way.

Start free trialEmail security@
DPA on requestSOC 2 Type II in progressISO 27001 planned 2026