Skip to main content

Print this page (Cmd/Ctrl + P) and save as PDF for your reviewer.

Back to Trust Center

tailroster.com

TailRoster — Security Overview

A plain-language summary of how TailRoster protects facility and pet-parent data, for IT and procurement reviewers. This document contains no customer-specific information and is identical for every operator.

Revision

Infrastructure & hosting

  • Application and static assets are served from Vercel's global edge network.
  • The primary database and file storage run on Supabase (managed PostgreSQL) in us-east-1 (Virginia).
  • EU (Frankfurt) data residency is a planned enterprise-tier option; today all customer data sits in us-east-1.
  • Daily managed database snapshots with point-in-time recovery; 35-day retention (Supabase default).

Encryption

  • At rest: AES-256, Supabase-managed keys.
  • In transit: TLS 1.3, terminated at Vercel's edge.
  • Payment card data is tokenized by Stripe and never stored on our servers.
  • HSTS preload registration is on the roadmap and is not yet claimed as live.

Access controls

  • Multi-tenant isolation enforced by PostgreSQL row-level security keyed to a per-request tenant claim on every tenant table.
  • Seven-role RBAC (owner, manager, staff, groomer, trainer, front desk, read-only) with per-user permission overrides.
  • Every access change is recorded with who changed it and when.
  • Privileged actions are written to an append-only audit log that tenant users cannot forge.

Monitoring & incident response

  • A 5-minute health-watchdog job tracks service health and raises alerts; an external uptime ping backs it.
  • Application errors and stack traces are captured in Sentry.
  • Per-integration runbooks and a documented on-call escalation path exist for Supabase, Stripe, Twilio, Inngest, Resend, and Anthropic.
  • We acknowledge reported security issues within one business day (see responsible disclosure).

Compliance posture

  • SOC 2 Type I is in progress with a Q3 2026 target — we are not yet certified and claim no report.
  • GDPR and CCPA / CPRA data-subject requests are honored; we respond within 30 days.
  • We do not sell personal information or share it for cross-context behavioral advertising.
  • A Data Processing Addendum (DPA) is available for operators handling EU, UK, or California personal data.

Contacts

  • Security & vulnerability reports: security@tailroster.com
  • Privacy & data-subject requests: privacy@tailroster.com
  • Full, current detail (subprocessor list, SOC 2 progress, disclosure policy): the TailRoster Trust Center at /trust.