Application & Data Security

Last updated: 2025-10-16

TapRebook is designed with a security-first mindset. We apply data minimization and least-privilege access, and we align our practices to GDPR principles for customers that operate in or serve the EU/EEA.

Summary

  • Hosting: Google Cloud Platform (GCP).
  • Encryption: TLS for data in transit; provider-managed encryption for data at rest.
  • Access control: role-based, least-privilege access for personnel.
  • Backups: regular encrypted backups with defined retention.
  • Monitoring: logging and alerting for availability and security-relevant events.
  • Privacy: we do not sell contact data collected on your behalf.

Hosting & infrastructure

TapRebook runs on Google Cloud Platform (GCP). We use managed services, network controls, and standard hardening practices appropriate to our stack. For details on Google’s platform safeguards, see the GCP Security pages.

Data ownership & purpose

You retain ownership of your customer data. We process it solely to provide the Service—e.g., to send permitted WhatsApp messages, manage templates/tags, and provide reporting. We do not sell your data.

Encryption

  • In transit: All client–service communication uses HTTPS (TLS).
  • At rest: Provider-managed encryption for databases, storage, and backups.
  • Secrets: API keys and credentials are stored in encrypted secret stores, not source code.

Access control

  • Least privilege: personnel receive only the access needed for their role.
  • Review & audit: administrative access is limited and periodically reviewed.
  • Separation of duties: production access is restricted to designated staff.

Backups & continuity

  • Regular encrypted backups are maintained with defined retention windows.
  • Restoration procedures are tested periodically.

Logging & monitoring

  • Centralized logs and metrics for key services.
  • Alerting on anomalies and service health indicators.
  • Dependency updates and security patches applied in a timely manner.

Data retention & deletion

We retain data for as long as necessary to operate the Service and meet legal or audit requirements. Upon request (or account closure), we delete or export data within a reasonable timeframe, subject to lawful retention needs.

Compliance posture

  • GDPR principles: lawfulness, fairness, transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality.
  • DPA: If needed, a Data Processing Addendum is available upon request.

Incident response

We maintain procedures for triage, containment, remediation, and communication. If we determine that an incident has affected your data, we will notify you without undue delay, consistent with legal and contractual obligations.

Sub-processors

We use vetted sub-processors (e.g., cloud hosting, observability, WhatsApp BSPs) to deliver the Service. A current list is available upon request.

Questions

For security questions, a DPA, or a sub-processor list, contact us via the Contact page or email [email protected].