Security Practices
How Tabstack secures data in transit and at rest, its access controls, and its infrastructure.
This page documents the security controls around the Tabstack platform.
Encryption
Section titled “Encryption”Data is encrypted in transit over TLS (1.2 or higher) and encrypted at rest. Encryption keys are managed by our cloud provider.
Access controls
Section titled “Access controls”API access is authenticated with a bearer key sent as TABSTACK_API_KEY. Keep it out of source control and rotate it in the console if it is exposed. See the Quickstart for setup and Troubleshooting for auth failures.
API keys can be set to expire; rotation is manual today. Within an organization, access is governed by roles: admin, member, and billing.
Internal access to customer data is restricted and audited, and is further limited because request payloads are only stored when an organization opts into detailed data collection. See Data Handling.
Infrastructure
Section titled “Infrastructure”Tabstack runs on Google Cloud Platform. The database is not publicly reachable. Dependencies and code are scanned for known vulnerabilities as part of our release process.
Reporting a vulnerability
Section titled “Reporting a vulnerability”Report security issues to security@tabstack.ai. You can expect acknowledgment within 2 business days and an initial assessment within 5 business days, with coordinated disclosure up to 30 days. The published security.txt also lists support@tabstack.ai as a contact.