Security

1. Security Overview

Security Audit Status: Our most recent security audit was completed on November 19, 2025, with no critical vulnerabilities found. TallyCrew is production-ready and safe for use.

We are committed to:

• Protecting your personal information with bank-level security
• Maintaining transparency about our security practices
• Conducting regular security audits and updates
• Responding promptly to security concerns
• Following industry best practices and compliance standards

2. Website Security (TallyCrewWeb)

The TallyCrew website is a static landing page with minimal security concerns:

• ✅ No user data collection or storage
• ✅ No cookies or tracking technologies
• ✅ HTTPS encryption for all connections
• ✅ No forms that submit sensitive information
• ✅ Regular security updates and monitoring
• ✅ No known vulnerabilities

For more information about our website privacy practices, see our Cookie Policy.

3. Mobile App Security (TallyCrew App)

The TallyCrew mobile application implements comprehensive security measures to protect your financial data and personal information.

4. Security Best Practices

We follow industry best practices to maintain a secure application:

Regular Security Audits

• Comprehensive security audits performed regularly
• Most recent audit: November 19, 2025 (no critical issues found)
• Continuous monitoring for security vulnerabilities
• Prompt response to any identified issues

Dependency Management

• Regular dependency vulnerability scanning
• Automated security updates for dependencies
• Current status: 0 known vulnerabilities
• Use of trusted, well-maintained libraries

Secure Development

• No sensitive data in source code
• Environment variables properly protected
• Build exclusions for sensitive files
• Code review process for all changes
• Automated testing including security tests

5. Data Protection Measures

What Data We Collect

We collect only the minimum data necessary to provide our service:

• Account information (email, name, optional profile picture)
• Expense records (amounts, descriptions, dates)
• Group information (names, members)
• Individual debt records

For complete details, see our Privacy Policy.

How Data is Stored

• All data encrypted in transit (HTTPS/TLS)
• All data encrypted at rest (database encryption)
• Stored on secure Supabase servers
• Regular backups with encryption
• Geographic redundancy for reliability

Who Can Access Your Data

• Only you can access your personal data
• Group members can see shared group expenses
• Individual debts are only visible to the two parties involved
• TallyCrew staff cannot access your data without proper authorization
• We never sell or share your data with third parties

Data Retention & Deletion

• Your data is retained while your account is active
• You can delete your account at any time
• Account deletion permanently removes your personal data
• Some shared expense records may remain visible to other group members
• Deletion is immediate and cannot be undone

6. Vulnerability Reporting

How to Report Security Issues

If you discover a security vulnerability, please report it to us responsibly:

• Email us at support@confirm.tallycrew.com with "Security Vulnerability" in the subject line
• Provide detailed information about the vulnerability
• Include steps to reproduce the issue if possible
• Do not publicly disclose the vulnerability until we've addressed it
• Allow us reasonable time to fix the issue before disclosure

Our Commitment

• We will acknowledge your report within 48 hours
• We will provide regular updates on our progress
• We will credit you for the discovery (if desired)
• We will not take legal action against responsible disclosure
• We will work to fix verified vulnerabilities promptly

7. Security Certifications & Compliance

Regulatory Compliance

• GDPR: General Data Protection Regulation (EU) compliant
• CCPA: California Consumer Privacy Act compliant
• User rights to access, modify, and delete data
• Transparent data collection and usage policies
• Data protection by design and by default

Industry Standards

• HTTPS/TLS encryption (TLS 1.3)
• OAuth 2.0 for third-party authentication
• JWT (JSON Web Tokens) for session management
• Bcrypt for password hashing
• Row Level Security (RLS) for database access control

Regular Updates

• Security patches applied promptly
• Regular dependency updates
• Continuous monitoring for new vulnerabilities
• Proactive security improvements

8. Security Features for Users

TallyCrew provides you with tools to protect your account and data:

Account Security

• Strong Passwords: Required minimum 8 characters with letters and numbers
• Secure Logout: Immediately clears all session data
• Session Management: Automatic logout after extended inactivity
• OAuth Options: Sign in securely with Google

Data Control

• View Your Data: Access all your information in the app
• Export Data: Request a copy of your data at any time
• Delete Account: Permanently delete your account and data
• Modify Information: Update or correct your data anytime

Privacy Controls

• Control who can see your profile information
• Manage group memberships and visibility
• Choose what information to share with friends
• Opt out of optional features

9. Incident Response

Security Monitoring

• 24/7 monitoring of system security and performance
• Automated alerts for suspicious activity
• Regular security log reviews
• Proactive threat detection

Incident Response Procedures

In the event of a security incident, we follow a structured response process:

• Detection: Identify and verify the security incident
• Containment: Isolate affected systems to prevent spread
• Investigation: Analyze the incident to understand scope and impact
• Remediation: Fix vulnerabilities and restore normal operations
• Notification: Inform affected users as required by law
• Review: Conduct post-incident analysis and improve processes

User Notification Policy

If a security incident affects your data, we will:

• Notify you promptly via email
• Explain what happened and what data was affected
• Describe the steps we're taking to address the issue
• Provide guidance on protecting your account
• Answer your questions and concerns

Continuous Improvement

• Learn from security incidents and near-misses
• Update security policies and procedures
• Implement additional safeguards as needed
• Share lessons learned with the security community

10. Contact Information

For security-related questions, concerns, or to report vulnerabilities:

11. Additional Resources

For more information about how we protect your data and privacy:

• Privacy Policy - How we collect, use, and protect your personal data
• Terms of Service - Legal terms and conditions for using TallyCrew
• Cookie Policy - Information about cookies (we don't use any!)