Security at TravlOps

TravlOps runs on a modern, battle-tested stack designed for security and reliability:

• Vercel Edge Network — our application layer is deployed globally on Vercel's edge infrastructure. Vercel is SOC 2 Type II certified and complies with GDPR. All traffic is automatically served over HTTPS with TLS 1.3.
• Supabase (PostgreSQL on AWS) — primary database and authentication provider. Supabase is SOC 2 Type II certified. Database instances run in AWS regions with GDPR-compliant data residency options.
• Upstash Redis — serverless Redis used for rate limiting and caching. No personally identifiable data is stored. Upstash is SOC 2 Type II certified.

• In Transit: All connections to TravlOps use TLS 1.3. Older TLS versions (1.0, 1.1) are disabled. HTTP requests are automatically redirected to HTTPS.
• At Rest: All database data is encrypted at rest using AES-256 via Supabase/AWS. Encryption keys are managed by AWS KMS and never directly accessible to TravlOps engineers.
• Secrets: API keys, service tokens, and credentials are stored in Vercel's encrypted environment variable store. They are never committed to source code or logs.

• JWT with Short Expiry: Sessions use short-lived JWTs issued by Supabase Auth. Refresh tokens rotate on use and are invalidated on sign-out.
• Row Level Security (RLS): Every database table has RLS policies enforced at the Postgres level. A tenant's data is only accessible when the authenticated user's JWT matches the tenant_id of the record. There are no shared queries across tenants.
• Role-Based Access Control: Team members can be assigned Admin, Member, or Viewer roles. Role enforcement is checked at both the API middleware level and database RLS level.
• Multi-Factor Authentication: MFA is supported via Supabase Auth (TOTP-based). We recommend enabling it on all admin accounts.

Card data is processed exclusively by Stripe, a PCI DSS Level 1 certified payment processor — the highest level of payment security certification. TravlOps servers never receive, transmit, or store raw card numbers. Our Stripe integration uses:

• Stripe Elements (card data entered directly into Stripe's hosted fields)
• Stripe Checkout for subscription creation
• Webhook signatures verified on every event to prevent replay attacks

We take all security reports seriously. If you discover a vulnerability in TravlOps, we ask that you follow responsible disclosure:

• Report to: security@travlops.com with details of the vulnerability, reproduction steps, and potential impact.
• Response SLA: We will acknowledge your report within 48 hours and provide a timeline for remediation.
• Responsible Disclosure: We ask that you do not publicly disclose the vulnerability until we have released a fix. We will acknowledge your contribution in our release notes.
• Reward: We recognize responsible disclosure. Depending on severity and impact, we may offer a subscription credit or public acknowledgment.
• Out of Scope: Social engineering, phishing, physical attacks, and automated scanning tools without prior written consent.

In the event of a confirmed security incident affecting customer data:

• Detection: We maintain audit logs and anomaly detection on all data access. Suspicious patterns trigger automated alerts.
• Containment: Affected accounts are isolated immediately. Our on-call team responds within 1 hour.
• Notification: Affected customers are notified within 72 hours per GDPR Article 33 requirements. Notifications include the nature of the breach, data affected, and steps we are taking.
• Post-Mortem: We publish a transparent post-mortem for significant incidents within 30 days.

For all security matters:

• Email: security@travlops.com
• PGP Key: Available on request for encrypted disclosures.
• Response Time: 48 hours for initial acknowledgment of any reported issue.

Non-security support questions should go to support@travlops.com.