Security & Privacy
Built to protect
Built to protect
retailers and shoppers.
Security is foundational to Tabsy — not an add-on. Here's what's live today and what's planned for enterprise.
TLS 1.2+
Encryption in transit
AES-256
Encryption at rest
GDPR & UAE PDPL
Regulatory compliance
SOC 2 infra
Cloud infrastructure
Platform-wide - all users
Core security, available now
- ✓Encryption in transit - HTTPS / TLS 1.2+ on all connections
- ✓Encryption at rest - AES-256 on all stored data (managed by our cloud provider)
- ✓Authentication - email/password and magic-link via our managed auth service with secure token management
- ✓Row Level Security (RLS) - database policies ensure each user can only access their own data
- ✓SHA-256 API key hashing - retailer API keys are stored as hashed values, never in plain text
- ✓Signed storage URLs - receipt files are served via short-lived signed URLs, not public links
- ✓CSP headers - Content Security Policy enforced on all pages
- ✓Delete controls - remove receipts or close your account at any time
- ✓Private accounts - receipt data scoped strictly to the owning account
- ✓No advertising - we never sell user data to third parties
- ✓GDPR & UAE PDPL - built for EU and UAE regulatory requirements
- ✓Data minimisation - we store only what's needed to deliver receipts
For retailers & enterprise
Integration & enterprise security
- ✓API key authentication - all retailer calls require a signed Bearer token
- ✓Webhook signature verification - payloads signed for authenticity
- ✓Scoped credentials - retailer keys can write receipts but cannot read shopper data
- ✓Secure SFTP drop - for legacy POS systems
- ○Role-based access controlRoadmap
- ○Audit logs for enterprise accountsRoadmap
- ○Regional data residency EU / UAERoadmap
- ○SSO / SAML for admin portalsRoadmap
For shoppers
Your data, your control
- ✓Receipts are private - only you see your vault; retailers cannot browse your account
- ✓Delete anytime - remove receipts or close your account from within the app
- ✓No ads, ever - we don't share purchase data with advertisers
- ✓Data portability - export receipts as CSV at any time
- ✓EU & UAE rights - access, rectification, and erasure under GDPR and UAE PDPL
Compliance & hosting
Tabsy runs on enterprise-grade cloud infrastructure - SOC 2 Type II-certified providers handle the database, storage, authentication, and edge delivery. Formal certifications in Tabsy's own name (ISO 27001, SOC 2) are planned as the platform scales.