Twomiah Software Ventures implements administrative, technical, and organizational safeguards designed to protect the confidentiality, integrity, and availability of customer data across all products and services.
1. Infrastructure Security
Our infrastructure is built on industry-leading cloud providers:
| Provider | Role | Security Certifications |
|---|
| Render | Application hosting, PostgreSQL databases | SOC 2 Type II |
| Supabase | Database hosting, authentication | SOC 2 Type II |
| Amazon Web Services | File and media storage (S3) | SOC 2, ISO 27001, FedRAMP |
| Cloudflare | CDN, DNS, DDoS mitigation, R2 storage | SOC 2, ISO 27001 |
Controls include:
- Network isolation and segmentation
- Firewall and traffic filtering
- DDoS mitigation via Cloudflare
- Encrypted storage at rest (AES-256 via infrastructure providers)
2. Data Encryption
- In transit — all data transmitted between clients and servers is encrypted using TLS 1.2 or higher. All internal API calls to third-party services are encrypted in transit.
- At rest — databases are encrypted at rest using AES-256 encryption provided by our infrastructure providers (Render, Supabase, AWS).
- Sensitive fields — certain sensitive data (e.g., SSN, license numbers in healthcare products) is encrypted at the application level using dedicated encryption keys.
3. Data Isolation
Each customer receives a dedicated, isolated database instance. Customer data is never commingled with another customer's data in the same database. This architecture provides strong isolation and prevents cross-tenant data access.
4. Authentication & Access Control
- Password security — user passwords are hashed using bcrypt with a cost factor of 12. We never store plaintext passwords.
- Token-based authentication — API access uses short-lived JWT tokens with automatic rotation of refresh tokens.
- Role-based access control (RBAC) — users are assigned roles (owner, admin, editor, viewer) that determine their access level within the platform.
- Internal access — Twomiah team access to production systems is limited to what is strictly necessary for operations and support.
5. Application Security
- Input validation and sanitization on all user inputs
- Protection against OWASP Top 10 vulnerabilities (XSS, SQL injection, CSRF, etc.)
- Content Security Policy (CSP) headers where applicable
- Dependency monitoring and regular security updates
- Environment-based secret management (API keys and credentials stored as environment variables, never in source code)
6. Monitoring & Logging
- Error monitoring — Sentry is used for real-time error tracking and performance monitoring across production services. PII scrubbing is configured to prevent sensitive data from appearing in error reports.
- Infrastructure monitoring — Render provides service health monitoring, auto-restart on failure, and resource usage alerts.
- Log retention — application and server logs are retained for 30–90 days for security, debugging, and audit purposes.
7. Vendor Security
All Sub-processors are vetted prior to use and must meet our security and data protection requirements. High-risk vendors (payment processors, healthcare integrations, AI providers) are subject to additional review. A full list is published at twomiah.com/sub-processors.
8. Change Management
- All source code is stored in private GitHub repositories
- Changes are reviewed before deployment
- Production and development environments are separated
- Rollback capability exists for all deployments
- Automated deployment pipelines via Render
9. Backup & Recovery
- Databases are backed up automatically by our infrastructure providers (Render, Supabase)
- Backup retention: 30 days rolling
- Recovery procedures are in place for critical systems
10. Data Retention
| Data Type | Retention Period |
|---|
| Account data | Duration of account + 30 days after cancellation |
| CRM and business data | Duration of subscription + 30 days for export |
| Payment records | 7 years (legal/tax compliance) |
| Application logs | 30–90 days |
| Database backups | 30 days rolling |
| Support tickets | 1–3 years |
| Call recordings (if enabled) | Per account settings, deletable anytime |
11. Incident Response
Definition
A "Security Incident" includes unauthorized access to data, data breach or exposure, service disruption due to attack, or loss or compromise of credentials.
Detection
Incidents may be identified through monitoring systems (Sentry), infrastructure alerts (Render), or user reports.
Response Process
- Step 1: Containment — isolate affected systems, revoke compromised credentials
- Step 2: Investigation — identify root cause, determine scope of impact
- Step 3: Remediation — patch vulnerabilities, restore systems
- Step 4: Recovery — resume normal operations, monitor for recurrence
Breach Notification
Where required by law (e.g., GDPR Article 33, state breach notification laws):
- We will notify affected customers without undue delay
- Notifications will include the nature of the breach, data affected, and mitigation steps taken
- GDPR: notification to supervisory authority within 72 hours where applicable
- HIPAA (if applicable): notification within 60 days as required
Post-Incident Review
After resolution, we conduct a root cause analysis and implement preventive measures to reduce the likelihood of recurrence.
12. Responsible Disclosure
If you discover a security vulnerability in any Twomiah product, please report it responsibly to security@twomiah.com. We will acknowledge receipt within 48 hours and work to resolve confirmed vulnerabilities promptly. We ask that you do not publicly disclose vulnerabilities until we have had a reasonable opportunity to address them.
13. Contact
For security-related questions or to report a concern:
Twomiah Software Ventures
Jeremiah Phillips
2607 Beverly Hills Drive
Eau Claire, WI 54701
security@twomiah.com
(715) 864-5052