Trust & Safety

Security

Our security posture, published openly. We believe transparency about what we have and what we don't builds more trust than vague enterprise-speak.

75%

controls active (18/24)

planned in next 90 days

Security control coverage18 of 24 active

Network & Transport

✅TLS 1.2+ on all endpoints

✅HTTP → HTTPS redirect enforced

✅HSTS with long max-age

⏳Cloudflare WAF / DDoS protectionPlanned — Month 2

⏳Rate limiting on API routesPlanned — Month 2

Infrastructure

✅SSH key-only access to VM

✅GCP firewall — minimal open ports

✅Service accounts with least privilege

✅Automated weekly encrypted backups

✅Docker container isolation

✅Secrets in env vars (not in code)

⏳Intrusion detection / alertingPlanned — Month 3

Application

✅HttpOnly + SameSite session cookies

✅CSRF protection on mutation routes

✅Input validation on all API routes

✅SQL injection prevention (Prisma ORM)

✅XSS prevention (React escaping)

⏳Dependency vulnerability scanningPlanned — Month 2

⏳Security headers (CSP, X-Frame)Planned — Month 2

Data

✅PII hashing (phone, email)

✅Encrypted volumes at rest (GCP)

✅No PII in AI API payloads

✅Data retention policy enforced

⏳Annual pen testPlanned — Year 1

Responsible Disclosure

Found a vulnerability? Email hello@tuningfolks.comwith subject line “Security Disclosure”. We will acknowledge within 48 hours and resolve critical issues within 7 days. We don't have a bug bounty programme yet, but we will credit researchers publicly if they wish.