tailroster.com
TailRoster — Security Overview
A plain-language summary of how TailRoster protects facility and pet-parent data, for IT and procurement reviewers. This document contains no customer-specific information and is identical for every operator.
Revision
Infrastructure & hosting
- Application and static assets are served from Vercel's global edge network.
- The primary database and file storage run on Supabase (managed PostgreSQL) in us-east-1 (Virginia).
- EU (Frankfurt) data residency is a planned enterprise-tier option; today all customer data sits in us-east-1.
- Daily managed database snapshots with point-in-time recovery; 35-day retention (Supabase default).
Encryption
- At rest: AES-256, Supabase-managed keys.
- In transit: TLS 1.3, terminated at Vercel's edge.
- Payment card data is tokenized by Stripe and never stored on our servers.
- HSTS preload registration is on the roadmap and is not yet claimed as live.
Access controls
- Multi-tenant isolation enforced by PostgreSQL row-level security keyed to a per-request tenant claim on every tenant table.
- Seven-role RBAC (owner, manager, staff, groomer, trainer, front desk, read-only) with per-user permission overrides.
- Every access change is recorded with who changed it and when.
- Privileged actions are written to an append-only audit log that tenant users cannot forge.
Monitoring & incident response
- A 5-minute health-watchdog job tracks service health and raises alerts; an external uptime ping backs it.
- Application errors and stack traces are captured in Sentry.
- Per-integration runbooks and a documented on-call escalation path exist for Supabase, Stripe, Twilio, Inngest, Resend, and Anthropic.
- We acknowledge reported security issues within one business day (see responsible disclosure).
Compliance posture
- SOC 2 Type I is in progress with a Q3 2026 target — we are not yet certified and claim no report.
- GDPR and CCPA / CPRA data-subject requests are honored; we respond within 30 days.
- We do not sell personal information or share it for cross-context behavioral advertising.
- A Data Processing Addendum (DPA) is available for operators handling EU, UK, or California personal data.
Contacts
- Security & vulnerability reports: security@tailroster.com
- Privacy & data-subject requests: privacy@tailroster.com
- Full, current detail (subprocessor list, SOC 2 progress, disclosure policy): the TailRoster Trust Center at /trust.