Security First

Your data security is our priority

tapioca is built with security at its core. From encryption to access controls, we implement industry best practices to protect your data.

Security Practices

How we protect your data at every level

Encryption at Rest

All data stored in our databases is encrypted using AES-256 encryption. Database backups are also encrypted.

Encryption in Transit

All connections to tapioca use TLS 1.3. We enforce HTTPS and use HSTS with preloading.

Authentication Security

Passwords are hashed using Argon2id. We support SSO (OIDC/SAML), TOTP-based 2FA, and Cloudflare Access integration.

Access Controls

Role-based access control (RBAC) at organization, project, and task levels. Audit logging of all access and changes.

Infrastructure Security

Hosted on Hetzner (EU) with network isolation, firewalls, and DDoS protection via Cloudflare. Regular security patches.

Code Security

Open-source codebase for transparency. Automated vulnerability scanning with Trivy and SonarQube. Regular dependency updates.

Compliance & Certifications

Meeting industry standards for security and privacy

GDPR Compliant

Compliant

Full compliance with EU General Data Protection Regulation. Data processing agreements available.

SOC 2 Type II

In Progress

Currently preparing for SOC 2 Type II certification. Expected completion Q2 2026.

ISO 27001

Planned

ISO 27001 certification planned for 2026.

EU Data Residency

Compliant

All hosted data stored in European Union data centers (Hetzner, Germany).

Vulnerability Disclosure

Responsible Disclosure Policy

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1

Report the vulnerability

Email [email protected] with details

2

Give us time to respond

We aim to acknowledge within 24 hours and provide updates within 72 hours

3

Allow us to fix before disclosure

Please don't publicly disclose until we've had a chance to address the issue

What we commit to:

  • No legal action against good-faith security researchers
  • Acknowledgment in our security advisory (if desired)
  • Keeping you informed about the fix status
  • Recognition in our Hall of Fame for significant findings

security.txt

We follow the security.txt standard. Find our security contact information at:

https://tapioca.dev/.well-known/security.txt

Open Source Security

tapioca is open source, which means our security can be verified by anyone. We believe transparency builds trust.

View Source Code Security Advisories

Security Questions?

If you have questions about our security practices or need a security review for your organization, we're here to help.

Contact Security Team Privacy Policy