A concise reference for procurement, IT, and security reviewers. We publish what is in place today and what is on the roadmap — no vague claims.
Tapify is a multi-tenant SaaS that issues Apple Wallet, Google Wallet, and web-based passes and runs loyalty programs on top. Every merchant workspace is isolated by tenant identifiers and row-level security.
The application is delivered over HTTPS, with authentication handled by Supabase Auth (email OTP). Sessions are short-lived and refreshed in a server-side proxy layer.
Production data is stored in managed Postgres (Supabase) in the EU region by default. Additional regions can be discussed with procurement teams under an enterprise agreement.
Backups are encrypted and retained on a short rotation. Cross-region transfers, if any, are governed by standard contractual clauses.
Merchant subscription payments are processed by Stripe. Cardholder data is handled within Stripe’s PCI-DSS compliant infrastructure, and Tapify never stores full payment-card numbers for those transactions.
Tapify’s own scope is limited to account identifiers (customer and subscription IDs) returned by Stripe to reconcile billing state.
Tapify relies on a short list of subprocessors: Supabase (authentication and database), Resend (transactional email), Stripe (payments), and the wallet-pass delivery endpoints operated by Apple and Google.
Each subprocessor is bound by a data-processing agreement. The current list, with regions and purposes, is available to merchants on request.
We follow industry practices for access control, encryption in transit, and secure development. Production access is role-based, requires MFA, and privileged operations are audited.
Secrets are stored in an encrypted vault; CI pipelines use short-lived tokens; code changes are peer-reviewed before merging.
Tapify acts as a data processor for the end-customer data that merchants put through the platform, and as a data controller for merchant account data. Roles and obligations are set out in our Data Processing Addendum.
If you appoint an EU or UK representative under GDPR, we will publish their contact details here. Until then, route data-subject requests via Support.
Security issues are triaged by the engineering team with a documented incident-response runbook. Confirmed incidents affecting merchant data are notified in line with applicable law and contractual commitments.
Researchers can disclose vulnerabilities via the address published at /.well-known/security.txt. We commit to acknowledging reports within five business days.
We do not claim certifications we do not hold. Where SOC 2 or ISO 27001 work is in progress, it is marked as roadmap with a target quarter rather than shipped.
Merchants with specific audit requirements can request our latest control overview and current roadmap through Support.
We can share our Data Processing Addendum, subprocessor list, and control overview under NDA on request.