Security.

Encryption

• In transit. TLS 1.3 everywhere — the marketing site, the API, the portal, the widget script, and every outbound call from our servers. HSTS is enabled; HTTP is upgraded to HTTPS.
• At rest. All customer databases (PostgreSQL, Qdrant vector store, Redis) are encrypted with AES-256. Image uploads used during indexing are discarded after embedding — only the embedding is persisted.
• Secrets. Your client_secret is stored as a bcrypt hash; it is never logged. Bearer tokens are signed JWTs with 1-hour expiry.

Tenant isolation

Every tenant gets its own Qdrant collection and its own Postgres row-level namespace. There is no cross-tenant query path in the code — every search call is scoped to the authenticated client's UUID before retrieval runs.

Public (widget) keys are Origin-bound with an explicit allow-list and are read-only. A key lifted from your site and pasted on another domain fails on the first call.

Authentication & authorisation

• OAuth 2.0 client_credentials grant for server-side integrations. JWTs signed with HS256; rotation without downtime via POST /oauth/refresh.
• Origin-bound public keys (pk_live_…) for browser-side widget search. Never exposes write access.
• Role-based access control inside the portal — default Admin and Developer groups, custom groups per tenant, granular permissions (products:write, search:advanced, etc.).
• Two-factor authentication (TOTP) supported for the portal.

Logging & monitoring

We log API request metadata (endpoint, status, request ID, duration) for 30 days. Application errors are logged with stack traces for 30 days. Access-control decisions are logged. We do not log request bodies except when debugging a specific issue under your consent.

Every response carries an X-Request-ID header — quote it in any support email and we can pull the full server-side trace.

Data residency

Production data lives in the region specified in your contract (default: EU). We do not move your data to another region without your written consent. Sub-processors may process data outside that region for narrow purposes (Stripe for billing, for example); see the Privacy Policy.

Backups & disaster recovery

• Daily automated backups of Postgres and Qdrant, retained 14 days.
• Point-in-time recovery enabled on the primary database.
• Recovery Time Objective (RTO): 4 hours. Recovery Point Objective (RPO): 24 hours. Enterprise contracts can tighten these.
• Quarterly restore drills.

Vulnerability disclosure

If you find a security issue in Trooply, please email [email protected] with subject "Security report". Do not publicly disclose before we have had a reasonable chance to fix. We commit to:

• Acknowledge your report within 2 business days.
• Validate and triage within 10 business days.
• Ship a fix or a mitigation plan within 30 days of validation for high-severity issues.
• Credit you in the security advisory if you want credit.

We do not currently run a paid bug-bounty programme, but we do send thank-you gifts for responsibly disclosed, validated issues.

Compliance posture

Trooply is GDPR-aligned: documented processing, SCCs for international transfers, DPA available on request, data-subject-rights workflow, sub-processor disclosure. SOC 2 Type II audit is in progress; ETA shared on request. We do not currently hold PCI-DSS certification ourselves — payment data is handled entirely by Stripe, which is PCI-DSS Level 1 certified.

Incident communication

Operational incidents (degradation, outage) are posted at status.trooply.ai in real time. Security incidents affecting customer data trigger a direct email to account owners within 72 hours, per GDPR Art. 33.

Contact

Security questions, report a vulnerability, or request the full procurement-grade addendum: [email protected].