Security Practices
Effective: February 1, 2026
1. Infrastructure Security
Tuutio is hosted on industry-leading cloud infrastructure with robust physical and network security controls.
2. Data Location
Primary customer data is stored in the United States. Some operational data (such as error logs, analytics, and email delivery metadata) may be processed by subprocessors in other regions. For details on our subprocessors, contact us at support@tuutio.com.
3. Encryption
All data transmitted between your browser and our servers is encrypted using HTTPS (TLS). Customer data stored in our primary database is encrypted at rest. Backups and snapshots are encrypted where supported by our infrastructure providers. Some operational data processed by third-party services (such as error monitoring or analytics) may be subject to those providers' encryption practices.
4. Authentication and Access
We enforce minimum password strength requirements for all accounts. Two-factor authentication (2FA) is available for additional account protection, and Account Owners may require 2FA for all users on their account. Role-based access controls allow Account Owners to manage what team members can see and do within the platform.
5. Internal Access Controls
Access to customer data is restricted based on the principle of least privilege. Only authorized personnel may access production systems, and only for purposes of support, security, maintenance, or legal compliance. Administrative access is logged and subject to periodic review.
6. Payment Security
Payment processing is handled by a PCI-compliant third-party processor. We do not store credit card numbers or sensitive payment details on our servers.
7. Backups
We perform regular automated backups of all customer data with point-in-time recovery capabilities, allowing us to restore data in the event of an incident.
8. Data Retention and Deletion
When you delete data or cancel your account, we remove it from our production systems as described in our Privacy Policy. Backups are retained for a limited period and overwritten on a rolling basis. Deletion requests are subject to backup retention schedules and legal or security requirements. Some data, such as billing records and audit logs, may be retained longer as required by law.
9. Audit Logging
Activity within your account is logged, allowing Account Owners to see who made changes and when.
10. Organizational Security
Tenant Isolation: Customer data is logically separated. Each account's data is isolated and not accessible to other customers.
Environment Separation: Production and development environments are separate. Customer data is not used in development or testing environments.
Logging and Monitoring: We log security-relevant events and monitor systems for availability and suspicious activity.
Change Management: Changes to production systems undergo code review and approval before deployment.
Secure Development: We follow secure development practices, including code review, dependency management, and testing.
11. Incident Response
We maintain an incident response process to detect, investigate, and respond to security incidents. If we become aware of a security incident affecting your data, we will investigate promptly and notify you as required by applicable law and any contractual obligations. We do not commit to specific notification timelines beyond legal requirements.
12. Vulnerability Management
We regularly update dependencies and apply security patches. We monitor for known vulnerabilities in our software stack and prioritize remediation based on severity.
Responsible Disclosure: If you discover a security vulnerability, please report it to support@tuutio.com. We will acknowledge receipt within 3 business days, triage the report, and prioritize fixes based on severity. We appreciate responsible disclosure and will work to address issues promptly.
13. Business Entity
Tuutio is operated by a Delaware C-corporation based in the United States.