Security

Last updated: January 2025

Timply is committed to providing a secure platform for our customers. This page outlines the security measures we have implemented to protect your data and our infrastructure.

Infrastructure Security

Data Centers and Hosting

All Timply infrastructure is hosted within the European Economic Area (EEA) to ensure GDPR compliance:

  • AWS: eu-north-1 (Stockholm, Sweden)
  • Google Cloud Platform: eu-north1 (Stockholm, Sweden)
  • Supabase: EU region (Stockholm, Sweden)
  • Vercel: Stockholm, Sweden (hosting), EU (logs)

All data processing occurs within the EEA, ensuring compliance with GDPR requirements.

Build Systems

Our build and deployment systems may process source code and build logs outside Timply's direct control:

  • Vercel: Web deployment; builds and logs may be processed in Vercel's infrastructure
  • EAS (Expo Application Services): Mobile app builds; source code and build logs may be processed for compilation

These systems are used solely for deployment and do not process customer personal data. See our Data Processing Agreement for subprocessor details.

Network Security

Cloudflare Protection

  • DDoS Protection: Cloudflare provides automatic DDoS mitigation and protection against distributed denial-of-service attacks
  • Web Application Firewall (WAF): Cloudflare's WAF helps protect against common web vulnerabilities
  • SSL/TLS Encryption: Automatic SSL certificate provisioning and renewal for all domains
  • CDN: Global content delivery network for improved performance and security

Vercel Firewall

  • Edge Protection: Vercel's firewall provides additional layer of protection at the edge
  • Rate Limiting: Built-in rate limiting to prevent abuse

Google Cloud Platform Security

  • Cloud Armor: GCP's DDoS protection and WAF capabilities
  • Network Security: Secure network configurations and firewall rules
  • Identity and Access Management: Role-based access control for infrastructure

Application Security

Authentication and Authorization

  • Password Security: Passwords are hashed using bcrypt with 10 rounds before storage
  • Session Management: Secure session cookies with HTTPS-only and SameSite protection
  • Magic Link Authentication: Time-limited, single-use authentication links
  • API Key Authentication: Hashed API keys with rate limiting and expiration
  • Role-Based Access Control: Granular permissions system for different user roles

Rate Limiting

  • API Rate Limiting: 100 requests per minute per IP address for general endpoints
  • API Key Rate Limiting: Configurable rate limits per API key (default: 1000 requests per hour)
  • Authentication Rate Limiting: Protection against brute force attacks

Data Protection

Encryption

  • Data in Transit: All data transmitted over the network is encrypted using TLS 1.2 or higher
  • Data at Rest: Database encryption provided by Supabase
  • Payment Data: Payment information is processed securely through Stripe for subscriptions (PCI DSS compliant)

Database Security

  • Row Level Security (RLS): Supabase RLS policies ensure users can only access data they're authorized to view
  • Connection Security: Encrypted database connections
  • Backup Encryption: Regular encrypted backups

API Security

  • CORS Protection: Strict CORS policies limiting allowed origins
  • API Key Authentication: Secure API key-based authentication for external integrations
  • Input Validation: All API inputs are validated and sanitized
  • SQL Injection Protection: Parameterized queries and ORM usage prevent SQL injection

Payment Security

  • Stripe: All subscription payment processing is handled by Stripe, a PCI DSS Level 1 compliant payment processor
  • No Card Storage: We do not store credit card information. All payment data is processed directly by Stripe
  • Secure Payment Links: Payment links use Stripe's secure checkout system

Monitoring and Incident Response

  • Logging: Comprehensive logging of security-relevant events
  • Monitoring: Continuous monitoring of system health and security events
  • Error monitoring: Sentry (EU) for application errors and performance
  • Uptime monitoring: Service availability and uptime logs (global)
  • Incident Response: Procedures in place to respond to security incidents
  • Data Breach Notification: We will notify affected parties within 48 hours of discovering a data breach, as required by GDPR

Security Best Practices

For Organizations Using Timply

  • Use strong, unique passwords for your accounts
  • Enable two-factor authentication when available
  • Regularly review API keys and revoke unused ones
  • Keep your organization's user access up to date
  • Report any security concerns immediately to support@waltermedia.se

For End Users

  • Use strong passwords if you create an account
  • Be cautious of phishing attempts
  • Report suspicious activity to your organization administrator

Security Updates

We regularly update our dependencies and infrastructure to address security vulnerabilities. Security patches are applied as soon as they become available.

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

Email: support@waltermedia.se

Please include:

  • Description of the vulnerability
  • Steps to reproduce (if applicable)
  • Potential impact
  • Your contact information

We appreciate responsible disclosure and will work with you to address any security concerns.

Compliance

  • GDPR: Full compliance with the General Data Protection Regulation
  • Data Residency: The majority of data is stored and processed within the EEA; see our Data Processing Agreement for subprocessor locations including Sentry (EU) and uptime monitoring (global)
  • Privacy: See our Privacy Policy for details on how we handle personal data

Subprocessors

For a complete list of subprocessors and their locations, see our Data Processing Agreement.

Contact

For security-related questions or concerns, please contact us at support@waltermedia.se.