Security Overview

Where your data lives

• Marketing site:hosted on Render (US region). Server access logs are retained for a short rolling window (roughly 30–90 days) and stay in the US.
• Website forms (contact & demo): today, the contact and demo forms open your own email client through a mailto: link to hello@tillampa.com. Nothing is posted to a Tillampa server and no email-delivery provider is in the path; your message travels through your own email account. Server routes for form delivery exist in our code, and if and when we enable server-side submission, those routes would forward submissions through Resend or SendGrid (both US-based, each with its own security program), depending on configuration. We will update this page if that changes.
• Support chat (Anthropic):messages are sent to Anthropic for the model to respond, and are not persisted by us beyond the session — we do not store chat transcripts.
• Products (MuniStack, Tillampa widgets, Corp OS, and custom builds): hosted in the US on Render and/or Supabase, depending on the product. Each product deployment has its own database and access boundary.

In transit

• HTTPS / TLS 1.2+ everywhere. HTTP redirects to HTTPS.
• We set an HTTP Strict-Transport-Security (HSTS) header so browsers use HTTPS and do not fall back to plain HTTP.
• A baseline Content-Security-Policy restricts script sources, allowing only the origins and inline allowances the site needs to function.

At rest

• Product databases (Postgres on Render and/or Supabase) are encrypted at rest by the hosting provider.
• Backups are encrypted with a passphrase before upload and stored offsite in AWS S3 (US) with bucket-level access controls. See our Privacy Policy for retention windows.

Access controls

• Cookie-based authentication with role-based access on products.
• User, staff, admin, and Tillampa-internal (corp) tiers are enforced server-side. No client-side “hide the button” security.
• We log sensitive administrative actions — such as document uploads, user provisioning, and configuration changes — where a product supports it.
• API keys, service-role keys, and provider tokens live in Render environment variables — never committed to the repository and never exposed in browser code.

Software supply chain

• Code is reviewed before merge to main, and CI runs build and test checks.
• Dependencies are kept current, and security advisories from npm audit are triaged.
• Production-vs-dev separation: unsafe-evalin our CSP is a dev-only allowance for the bundler's hot-reload; the production CSP drops it.

AI handling

• The support chat uses Anthropic's Claude. The system prompt is fixed server-side and explicitly disallows fabricated claims (for example, it tells the model that Princeton, TX is a demo and modeling target, not a customer — and instructs the model never to claim otherwise).
• Product demos may use Anthropic and/or OpenAI. Inputs are rate-limited, and chat outputs are streamed back so a user can stop at any time.
• Per Anthropic's terms, API inputs are not used to train their models by default.

Data subprocessors

For procurement transparency, the third parties that may process data on our behalf across the site and our products are:

• Render(US) — application hosting, server logs.
• Supabase(US) — product database and authentication, depending on the product.
• Anthropic— the model behind support chat and some product demos; per Anthropic's terms, API inputs are not used to train models by default.
• OpenAI— may power some product demos.
• Amazon Web Services (AWS S3)(US) — encrypted offsite backup storage.
• Sentry— error monitoring, when enabled.
• Resend or SendGrid— email delivery for website forms, only if and whenserver-side form submission is enabled (not in the path today; see “Website forms” above).

This list reflects the marketing site and our general product architecture. The authoritative subprocessor list for a specific product engagement is the one set out in that engagement's signed agreement and Data Processing Addendum.

Compliance posture

We are an early-stage company, and we do notcurrently hold SOC 2, ISO 27001, or HIPAA certifications. We follow the underlying practices those frameworks describe — least-privilege access, encryption in transit and at rest, audit logging, and secret hygiene — and we are happy to walk through specifics with a procurement officer or security reviewer.

Incident response

If a security incident affects the marketing site or a product:

• We aim to acknowledge within 4 business hours of detection.
• We notify directly-impacted parties through the contact on file, and in the manner and timeframe required by the applicable agreement and by law.
• We publish or share a postmortem once the issue and its mitigation are clear.

Responsible disclosure

We welcome reports from security researchers and ask that you disclose responsibly. If you believe you have found a vulnerability, please email security@tillampa.com with enough detail for us to reproduce the issue. In return, we ask that you:

• Give us a reasonable window to investigate and remediate before any public disclosure.
• Avoid privacy violations, data destruction, service disruption, and access to or modification of data that is not yours.
• Test only against accounts and assets you own or are explicitly authorized to test.

Acting in good faith under these guidelines, we will not pursue legal action over your research. We do not currently run a paid bug bounty, but we are grateful for responsible disclosure and will credit you in the fix if you would like. For abuse or misuse of our services, contact abuse@tillampa.com.

No warranty

No system is perfectly secure. This overview describes our current practices and intentions; it is provided for information only, does not form part of any contract, and is not a warranty, guarantee, or representation that the site or our products are free from vulnerabilities or that any particular security outcome will be achieved. We may update these practices as our products and risk environment evolve. Security commitments that legally bind us are set out only in a signed agreement. Use of this website is also subject to our Terms of Service and Privacy Policy.

Contact

Security reports: security@tillampa.com. General questions: hello@tillampa.com. You can also write to us at Tillampa LLC, 116 Maple St, Denton, TX 76201, USA.