--- title: Security Practices | Tabstack description: How Tabstack secures data in transit and at rest, its access controls, and its infrastructure. --- This page documents the security controls around the Tabstack platform. --- ## Encryption Data is encrypted in transit over TLS (1.2 or higher) and encrypted at rest. Encryption keys are managed by our cloud provider. ## Access controls API access is authenticated with a bearer key sent as `TABSTACK_API_KEY`. Keep it out of source control and rotate it in the [console](https://console.tabstack.ai) if it is exposed. See the [Quickstart](/getting-started/quick-start/index.md) for setup and [Troubleshooting](/production/troubleshooting#authentication-errors/index.md) for auth failures. API keys can be set to expire; rotation is manual today. Within an organization, access is governed by roles: admin, member, and billing. Internal access to customer data is restricted and audited, and is further limited because request payloads are only stored when an organization opts into detailed data collection. See [Data Handling](/trust/data-handling/index.md). ## Infrastructure Tabstack runs on Google Cloud Platform. The database is not publicly reachable. Dependencies and code are scanned for known vulnerabilities as part of our release process. ## Reporting a vulnerability Report security issues to ****. You can expect acknowledgment within 2 business days and an initial assessment within 5 business days, with coordinated disclosure up to 30 days. The published `security.txt` also lists as a contact.