Security Policy

Our Security Commitment

We take data security seriously. As a SaaS platform handling sensitive business data, we maintain the highest security standards to ensure your information is always protected.

Data Encryption

In Transit

All data transmitted to and from Tomba is encrypted using industry-standard protocols:

• TLS 1.3 for all web traffic
• HTTPS enforced across all endpoints
• SSL/TLS for API communications
• SSH tunneling for internal data transfers

At Rest

All stored data is encrypted using AES-256 encryption.

Data Retention

Data is retained only as long as necessary for service delivery and pipeline maintenance.

Infrastructure Security

Cloud Hosting

Our infrastructure is hosted on Cloudflare and DigitalOcean, which maintain compliance with:

• SOC 1, 2, and 3
• HIPAA
• GDPR
• ISO 27001

Physical Security

Our hosting providers implement comprehensive physical security:

• 24/7 on-site surveillance teams
• Biometric access controls
• Full redundancy for power and connectivity
• Secure, access-controlled facilities

Application Security

Firewall Protection

• Web Application Firewall (WAF) - Cloudflare WAF filters all incoming requests to block malicious traffic
• Network Firewall - All servers protected by strict IP-based access controls

Authentication

• Multi-factor authentication for all administrative access
• Secure session management
• Password policies enforcing strong credentials

Code Security

• Regular security audits and penetration testing
• Automatic security updates
• Secure development practices

Employee Security

• Encrypted communications required for all team members
• Security awareness training
• Principle of least privilege access

Payment Security

Card Data Protection

Tomba does not store credit card information. We retain only non-sensitive data (last four digits) for customer support purposes.

PCI Compliance

Our payment processor, Paddle, is certified as a PCI Level 1 Service Provider - the most stringent certification in the payments industry.

Incident Response

We maintain a comprehensive incident response plan:

1. Detection - Continuous monitoring for security anomalies
2. Containment - Immediate isolation of affected systems
3. Investigation - Thorough analysis of incident scope
4. Notification - Timely communication with affected parties
5. Remediation - Complete resolution and prevention measures

Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly:

Email: security@tomba.io

We appreciate your help in keeping Tomba secure and will acknowledge valid reports.

Compliance

Tomba maintains compliance with:

• GDPR - EU data protection regulation
• CCPA - California Consumer Privacy Act
• SOC 2 Type II - Security and availability controls

Questions?

For security-related inquiries, contact security@tomba.io