Security at Tether

Tether is built on infrastructure providers that maintain rigorous security certifications and practices:

• Supabase (database and authentication): SOC 2 Type II certified. Provides encrypted storage, network isolation, and managed authentication services.
• Vercel (application hosting): SOC 2 Type II certified. Provides DDoS protection, edge network security, HTTPS enforcement, and HSTS.
• Stripe (payment processing): PCI DSS Level 1 certified. Payment card data is handled entirely by Stripe and never touches our servers.
• Resend (transactional email): Handles delivery of transactional and notification emails.
• Customer.io (customer messaging): Powers customer messaging and campaign automation workflows.

By building on these certified platforms, Tether benefits from enterprise-grade physical security, redundant infrastructure, and continuous monitoring maintained by dedicated security teams at each provider.

Encryption in Transit

All traffic between your browser and Tether is served over HTTPS. Connections to our database use encrypted channels to protect data in transit.

Encryption at Rest

Sensitive credentials, such as third-party integration tokens, are encrypted at the application level using AES-256-GCM before being stored. Our database provider also encrypts data at rest at the infrastructure level.

Database Security

Our database infrastructure provides encrypted connections and network isolation. All data access in production is routed through the application layer, preventing direct client-side database access.

User Authentication

Users can sign in with email and password or passwordless magic links. Sessions are managed via secure, HTTP-only cookies and are automatically refreshed on each request.

API Key Security

API keys are generated with cryptographically random secrets. The full key is shown once at creation; only a SHA-256 hash is stored in our database. Keys can be revoked at any time from your dashboard.

OAuth 2.0 with PKCE

Third-party integrations authenticate via OAuth 2.0 with PKCE (RFC 7636). Authorization codes and access tokens have short expiry windows, and all tokens are stored as SHA-256 hashes.

Input Validation

All API endpoints validate input using server-side schemas and guard functions. This protects against injection attacks and malformed data.

CORS

Internal API routes use restricted CORS policies, allowing only specific known origins. Public-facing endpoints have broader access as required by their protocols.

Rate Limiting

Rate limiting is applied to public-facing endpoints to prevent abuse, with per-endpoint and per-user limits.

Webhook Verification

Incoming payment webhooks are verified using cryptographic signature checks before any event is processed, preventing spoofed or tampered payloads.

Data Collection

We collect information necessary to provide our services: account details, customer data you choose to track, and usage information. We do not sell your data to third parties.

Data Isolation

Customer data is scoped by product and user identifiers in our data model. All queries are filtered through server-side authorization to ensure you only access your own data.

Data Retention & Deletion

We retain your data only as long as necessary to provide our services. When you delete your account, we permanently remove your data from our systems within 30 days. For full retention details, see our Privacy Policy.

All operations executed through our API layer are logged with the user ID, operation name, source, and authentication type. Rate limit violations and access anomalies are also captured for review.

Tether is committed to respecting user privacy and meeting applicable data protection requirements:

In the event of a security incident affecting customer data, we will:

• Investigate and contain the incident promptly
• Notify affected customers without undue delay
• Provide clear information about the nature and scope of the incident
• Take corrective steps to prevent recurrence
• Comply with all applicable breach notification laws (including the 72-hour GDPR notification requirement where applicable)

While we implement the security measures described above, your security also depends on your practices:

• Use a strong, unique password for your Tether account
• Keep your API keys and OAuth tokens secure; rotate them if compromised
• Be cautious of phishing attempts—we'll never ask for your password via email
• Review your account activity regularly for any suspicious behavior
• Log out of Tether when using shared computers
• Report any security concerns immediately