SOC 2 CertifiedGDPR CompliantISO 27001WCAG AAA

24/7 Enterprise SupportLog In

Taps.IM

ENTERPRISE

Security & Privacy Documentation

Complete technical documentation of our security architecture, compliance certifications, and privacy guarantees.

Zero-Knowledge Architecture

Overview

Our zero-knowledge architecture ensures that we never have access to your unencrypted data or encryption keys. All cryptographic operations occur client-side, and we can only see encrypted data that is meaningless without the keys you control.

Technical Implementation

▸
Client-Side Encryption:
All encryption happens in the browser using the Web Crypto API. The plaintext never leaves your device unencrypted.
▸
SRP-6a Authentication:
Secure Remote Password protocol ensures passwords are never transmitted to our servers, even during authentication.
▸
Key Derivation:
PBKDF2 with 100,000+ iterations derives encryption keys from your master password, with a unique salt per user.

Security Guarantee

Even if our servers were compromised, your data would remain secure because we never possess the keys needed to decrypt it. This is a mathematical guarantee, not just a policy.

End-to-End Encryption Specifications

Symmetric Encryption

Algorithm	AES-256-GCM
Key Size	256 bits
IV Size	96 bits
Tag Size	128 bits

Asymmetric Encryption

Algorithm	RSA-OAEP
Key Size	4096 bits
Hash	SHA-256
Padding	OAEP

Additional Security Layers

✓TLS 1.3: All data in transit is protected with TLS 1.3
✓Perfect Forward Secrecy: Ephemeral keys ensure past sessions remain secure
✓HSTS: HTTP Strict Transport Security prevents downgrade attacks
✓Certificate Pinning: Mobile apps verify server certificates

Compliance & Certifications

Regulatory Compliance

GDPR

European Union

Fully Compliant

General Data Protection Regulation

✓Right to erasure (Article 17)
✓Data portability (Article 20)
✓Privacy by design (Article 25)
✓DPO appointed

Last Audit: Q3 2024

CCPA

California, USA

Compliant

California Consumer Privacy Act

✓Consumer data deletion rights
✓Opt-out mechanisms
✓Privacy policy compliance
✓Data sale prohibition

Last Audit: Q2 2024

HIPAA

United States

Compliant

Health Insurance Portability and Accountability Act

✓BAA available
✓PHI encryption (256-bit)
✓Access controls (RBAC)
✓Audit logging

Last Audit: Q3 2024

PIPEDA

Canada

Compliant

Personal Information Protection and Electronic Documents Act

✓Consent mechanisms
✓Purpose limitation
✓Data accuracy measures
✓Safeguard requirements

Last Audit: Q1 2024

LGPD

Brazil

Compliant

Lei Geral de Proteção de Dados

✓Legal basis for processing
✓Data subject rights
✓International transfers
✓Security measures

Last Audit: Q2 2024

APPI

Japan

Compliant

Act on Protection of Personal Information

✓Purpose of use notification
✓Consent requirements
✓Security control measures
✓Disclosure upon request

Last Audit: Q3 2024

Security Certifications & Audits

SOC 2 Type II

Certified

Service Organization Control 2

Auditor: Deloitte

•Security
•Availability
•Processing Integrity

Valid Until: Dec 2025

ISO 27001:2022

Certified

Information Security Management System

Auditor: BSI Group

•Risk management
•Asset control
•Access control

Valid Until: Mar 2026

ISO 27017:2015

Certified

Cloud Security Controls

Auditor: BSI Group

•Cloud services
•Shared responsibility
•Virtual environment

Valid Until: Mar 2026

ISO 27018:2019

Certified

PII Protection in Public Clouds

Auditor: BSI Group

•PII protection
•Transparency
•Consent

Valid Until: Mar 2026

PCI DSS v4.0

Level 1

Payment Card Industry Data Security Standard

Auditor: Trustwave

•Network security
•Cardholder data
•Vulnerability management

Valid Until: Jun 2025

CSA STAR Level 2

Certified

Cloud Security Alliance Security Trust Assurance and Risk

Auditor: EY

•Cloud controls
•CCM compliance
•Transparency

Valid Until: Sep 2025

Government Clearance & Security Frameworks

US Government Standards

FedRAMP Ready

In Progress

Federal Risk and Authorization Management Program

• NIST 800-53 controls implemented
• Continuous monitoring capabilities
• 3PAO assessment scheduled Q1 2025

StateRAMP

Authorized

State and local government security standard

• Moderate impact level authorized
• Multi-state compact member
• Annual security assessments

CJIS Compliant

Active

Criminal Justice Information Services

• FBI background checks completed
• Security awareness training
• Advanced authentication required

International Government Standards

UK G-Cloud 13

Listed

UK Government Cloud framework

• Crown Commercial Service approved
• OFFICIAL classification supported
• UK data residency available

IRAP Assessed

Protected

Australian Government Information Security

• PROTECTED level certified
• ISM controls implemented
• ASD Cyber Security Centre assessed

C5 (Germany)

In Progress

Cloud Computing Compliance Criteria Catalogue

• BSI baseline protection
• German data sovereignty
• Audit Q2 2025

Personnel Security Clearance Support

US Clearances

• Secret clearance capable
• Public Trust positions
• CAC/PIV authentication

Background Checks

• FBI fingerprinting
• NACI investigations
• Continuous vetting

Facility Security

• SCIF-compliant options
• Secure compartmented info
• Physical access controls

Data Residency & Sovereignty Options

🌎North America

United States

Cities: Virginia, Oregon, Ohio, California

FedRAMP boundaryITAR compliant

Canada

Cities: Montreal, Toronto

PIPEDA compliantData sovereignty

Mexico

Cities: Querétaro

LFPDPPP compliantLocal processing

🌍Europe

Germany

Cities: Frankfurt, Berlin

GDPR compliantSchrems II ready

Ireland

Cities: Dublin

EU data centerLow latency

France

Cities: Paris

SecNumCloudSovereign cloud

Switzerland

Cities: Zurich

Swiss privacy lawsNeutral hosting

🌏Asia Pacific

Singapore

Cities: Singapore

PDPA compliantAPAC hub

Japan

Cities: Tokyo, Osaka

APPI compliantLocal presence

Australia

Cities: Sydney, Melbourne

IRAP assessedData onshore

India

Cities: Mumbai, Delhi

Data localizationIT Act compliant

Data Residency Guarantees

✓ Data never leaves selected region without explicit consent
✓ Encryption keys stored in same jurisdiction
✓ Metadata and backups remain in-region

✓ Support staff access restricted by region
✓ Compliance with local data protection laws
✓ Regional disaster recovery options

Penetration Testing & Security Assessments

Latest Penetration Testing Results

External Network Penetration Test

Test Date:October 2024

Performed by:Rapid7

Methodology:OWASP, PTES

Critical Findings:0

High Findings:0

Medium Findings:2 (Resolved)

Low Findings:5 (Resolved)

Web Application Security Test

Test Date:September 2024

Performed by:CrowdStrike

Methodology:OWASP Top 10

Critical Findings:0

High Findings:0

Medium Findings:1 (Resolved)

Low Findings:8 (Resolved)

Red Team Exercise

Last: August 2024

• Full kill-chain simulation
• Social engineering included
• 0 successful breaches
• 14-day engagement

API Security Testing

Continuous with Burp Suite

• Automated daily scans
• Authentication testing
• Rate limiting validation
• Input fuzzing

Infrastructure Testing

Quarterly assessments

• Cloud configuration review
• Container security
• Network segmentation
• Privilege escalation tests

Security Testing Partners

🛡️

Rapid7

Network Security

🔍

CrowdStrike

Application Security

🎯

Coalfire

Compliance Testing

🔐

NCC Group

Cryptography Review

Transparency Commitment: We conduct penetration testing quarterly and share high-level results with enterprise customers. Detailed reports available under NDA. Our bug bounty program has paid out over $500,000 to security researchers.

Audit Trails & Access Logs

Comprehensive Logging

Every access and action is logged with cryptographic integrity protection. Logs are immutable and tamper-evident.

Logged Events

• Authentication attempts (success/failure)
• Data access requests
• Configuration changes
• Administrative actions
• API calls and responses
• Security events and anomalies

Log Data Fields

• Timestamp (UTC, millisecond precision)
• User/Service identifier
• IP address and geolocation
• User agent and device fingerprint
• Action performed
• Result status and error codes

Log Integrity

Logs are protected with SHA-256 hash chains and stored in append-only storage. Any tampering is immediately detectable through hash verification.

Multi-Factor Authentication Options

Available Methods

📱
TOTP Apps
Google Authenticator, Authy, Microsoft Authenticator
🔑
Hardware Keys
YubiKey, Titan, any FIDO2/WebAuthn device
👆
Biometrics
Touch ID, Face ID, Windows Hello
📧
Email/SMS
Time-limited codes with anti-phishing protection

Advanced Features

🛡️
Risk-Based Authentication
Adaptive MFA based on login context and behavior
🔢
Backup Codes
One-time use recovery codes stored securely
🔄
Device Trust
Remember trusted devices for seamless access
⚡
Passwordless
WebAuthn for password-free authentication

Air-Gapped Key Generation & Management

Air-Gap Security Model

Critical cryptographic keys are generated on systems that have never been connected to the internet, ensuring zero possibility of remote compromise during key generation.

Generation Process

1. Boot from verified read-only media
2. Generate keys using hardware RNG
3. Split keys using Shamir's Secret Sharing
4. Store in HSMs and cold storage
5. Destroy generation environment

Security Controls

• Faraday cage during generation
• Multi-party key ceremony
• Video recording of process
• Cryptographic attestation
• Physical security controls

Hardware Security Modules

HSM Type	FIPS 140-2 Level 3 certified
Key Storage	Master keys never exist in plaintext outside HSM
Access Control	Multi-factor authentication with quorum
Backup	M-of-N key shares in geographically distributed vaults

Request Security Audit Report

Security & Privacy Documentation

Table of Contents

Zero-Knowledge Architecture

Overview

Technical Implementation

Security Guarantee

End-to-End Encryption Specifications

Symmetric Encryption

Asymmetric Encryption

Additional Security Layers

Compliance & Certifications

Regulatory Compliance

GDPR

CCPA

HIPAA

PIPEDA

LGPD

APPI

Security Certifications & Audits

SOC 2 Type II

ISO 27001:2022

ISO 27017:2015

ISO 27018:2019

PCI DSS v4.0

CSA STAR Level 2

Government Clearance & Security Frameworks

US Government Standards

FedRAMP Ready

StateRAMP

CJIS Compliant

International Government Standards

UK G-Cloud 13

IRAP Assessed

C5 (Germany)

Personnel Security Clearance Support

Data Residency & Sovereignty Options

🌎North America

🌍Europe

🌏Asia Pacific

Data Residency Guarantees

Penetration Testing & Security Assessments

Latest Penetration Testing Results

External Network Penetration Test

Web Application Security Test

Red Team Exercise

API Security Testing

Infrastructure Testing

Security Testing Partners

Audit Trails & Access Logs

Comprehensive Logging

Logged Events

Log Data Fields

Log Integrity

Multi-Factor Authentication Options

Available Methods

Advanced Features

Air-Gapped Key Generation & Management

Air-Gap Security Model

Generation Process

Security Controls

Hardware Security Modules