Trust & Safety

Security at TagDrishti

We monitor tag security for our customers — so our own security practices need to be impeccable. Here's exactly how we protect your data.

TagDrishti infrastructure is hosted on Google Cloud Platform (asia-south1) — one of the most secure and compliant cloud environments available. All data is encrypted in transit and at rest.

Infrastructure Security

🔒
Encryption in Transit
TLS 1.3 enforced on all connections. HSTS headers on all domains. Certificate managed by Cloudflare and Google.
💾
Encryption at Rest
All BigQuery data encrypted with AES-256. Supabase PostgreSQL data encrypted at rest. API keys hashed with bcrypt before storage.
🌐
DDoS Protection
Cloudflare Enterprise-grade DDoS mitigation. Rate limiting on all API endpoints. Flood guard in the monitoring script.
🛡
Network Isolation
Cloud Run services run in isolated containers. VPC perimeter controls. No direct database access from the internet.
🔑
Access Control
Role-based access control. Clerk JWT authentication. API keys are workspace-scoped. No shared secrets across tenants.
📋
Audit Logging
All API requests logged. Admin access to production systems is logged and reviewed. Logs retained for 90 days.

Compliance & Certifications

GDPR (EU) 2016/679
Full compliance including DPA, sub-processor agreements, and breach notification
✓ Active
DPDP Act 2023 (India)
Session pseudonymisation, children_mode, consent tracking for Indian users
✓ Active
CCPA / CPRA (California)
GPC signal detection, data deletion rights, no sale of personal data
✓ Active
PCI DSS 6.4.3 & 11.6.1
Script inventory monitoring, SRI validation, CSP violation detection
✓ Active
SOC 2 Type II
Security, availability, and confidentiality trust service criteria
In Progress
ISO 27001
Information security management system
Planned 2026

Data Isolation

Every TagDrishti customer's data is strictly isolated. Your tag event data, workspaces, and API keys are scoped to your tenant_id at every layer — BigQuery row-level, Supabase RLS policies, and Cloud Run middleware. No customer can ever access another customer's data, even if they discover an API endpoint.

API keys are prefixed with td_live_ and are workspace-scoped — a key for one domain cannot access data from another domain within your account unless explicitly granted.

Vulnerability Disclosure

We take security vulnerabilities seriously. If you discover a potential security issue in TagDrishti, please report it responsibly:

  • Email: security@tagdrishti.com
  • Include: description, steps to reproduce, potential impact
  • We will acknowledge within 48 hours and provide a fix timeline
  • We do not pursue legal action against good-faith security researchers

We do not currently have a public bug bounty programme but recognise significant findings with credit and gratitude.

Incident Response

In the event of a security incident affecting customer data:

  • We will notify affected customers within 72 hours of becoming aware of the breach
  • Notification will include: nature of the breach, data affected, steps taken, and recommended actions
  • Where required by GDPR, we will also notify the relevant supervisory authority
  • Post-incident analysis and remediation report provided within 30 days

Sub-Processor Security

All our sub-processors are contractually bound to maintain security standards equivalent to our own:

  • Google Cloud Platform — ISO 27001, SOC 2, PCI DSS Level 1
  • Supabase — SOC 2 Type II, hosted on AWS
  • Cloudflare — SOC 2 Type II, ISO 27001, PCI DSS
  • Razorpay — PCI DSS Level 1 certified payment processor
  • Resend — SOC 2 Type II

Security Questions

For security questions, audits, or enterprise security reviews: security@tagdrishti.com