Security Overview

Where your data lives

• Marketing site: hosted on Render (US region). Server access logs and form submissions stay in the US.
• Email forwarding: via Resend or SendGrid, depending on environment configuration. Both are US-based with their own security programs.
• Support chat (Anthropic): messages are sent to Anthropic for the model to respond, then discarded — we do not persist chat transcripts.
• Products (PermitFlow, Tactical Politician, custom): hosted in the US on Render and/or Supabase, depending on the product. Each customer engagement has its own database and access boundary.

In transit

• HTTPS / TLS 1.2+ everywhere. HTTP redirects to HTTPS.
• Strict-Transport-Security header set with preload, telling browsers never to fall back to HTTP.
• A baseline Content-Security-Policy locks script sources to the same origin and a small list of necessary inline allowances.

At rest

• Per-customer Postgres databases (encrypted at rest by the hosting provider).
• Backups encrypted with passphrase before upload; offsite storage in AWS S3 with bucket-level access controls. See Privacy Policy for retention windows.

Access controls

• JWT-cookie authentication with role-based access on products.
• Customer, staff, admin, and Tillampa-internal (corp) tiers are enforced server-side. No client-side “hide the button” security.
• Audit logs on risky admin actions: code uploads, user provisioning, city configuration changes.
• API keys, service-role keys, and provider tokens live in Render environment variables — never committed to the repo and never exposed in browser code.

Software supply chain

• Code reviewed before merge to main. CI runs build and test checks (see issue #3 for workflow rollout).
• Dependencies kept current; security advisories from npm audit are triaged.
• Production-vs-dev separation: unsafe-eval in our CSP is a dev-only allowance for Turbopack HMR; production CSP drops it.

AI handling

• The support chat uses Anthropic's Claude. The system prompt is fixed server-side and explicitly disallows fabricated claims (we tell the model that Princeton, TX is a demo target, not a customer — and the model is instructed to never claim otherwise).
• Inputs are rate-limited per IP. Outputs are streamed back; the user can abort at any time.
• Per Anthropic's commitments, API inputs are not used to train their models by default.

Compliance posture

We are an early-stage company; we do not currently hold SOC 2, ISO 27001, or HIPAA certifications. We follow the underlying practices those frameworks describe — least-privilege access, encryption in transit and at rest, audit logging, secret hygiene — and we're happy to walk through specifics with a procurement officer or security reviewer.

Incident response

If a customer-facing incident affects the marketing site or a product:

• We acknowledge within 4 business hours of detection.
• We notify directly-impacted customers via the contact on file.
• We publish a postmortem when the issue and its mitigation are clear.

Report a security issue

Send vulnerabilities to security@tillampa.com. We ask that you give us a reasonable window to fix before public disclosure. We don't currently run a paid bug bounty, but we're grateful for responsible disclosure and will credit you in the fix if you'd like.