Security
Effective date: July 12, 2026
An overview of the technical and organizational measures protecting data on the Tryvo platform.
Encryption
- All traffic is encrypted in transit with TLS.
- Databases and object storage are encrypted at rest by our infrastructure providers.
- OAuth credentials for connected stores and email services are additionally encrypted at the application layer (AES-256-GCM) before being stored, so they are unreadable even with direct database access.
Tenant Isolation
- Every query in the application is scoped to the requesting brand; one brand can never read another brand's campaigns, customers, or submissions.
- Uploaded files are stored under brand-scoped keys and served only through an authorization proxy that verifies the requester's access to that brand.
- Public submission links use unguessable, expiring tokens scoped to a single invitation.
Access & Authentication
- Account authentication is handled by Clerk and supports multi-factor authentication.
- Team access is role-based via organizations; access to production systems is limited to authorized personnel on a least-privilege basis.
- Incoming webhooks (Shopify, Clerk) are verified with cryptographic signatures before processing.
Infrastructure & Data Location
- The application runs on Vercel; the primary database (Neon Postgres) is hosted in the EU (Frankfurt).
- Uploaded videos and images are stored with an EU-based storage provider and are uploaded through our servers rather than directly from the browser.
- The full provider list is on the subprocessors page.
Backups & Continuity
The primary database provides continuous backups with point-in-time recovery. Background processing (scoring, rewards, emails) is built on durable, retryable job execution, so transient failures do not lose work.
Incident Response & Responsible Disclosure
We investigate security incidents immediately and notify affected customers without undue delay, in line with our DPA and applicable law. If you believe you have found a vulnerability, please email kontakt@tryvo.io with details. Do not access data that is not yours or disrupt the service while testing; we will not pursue good-faith research conducted within these bounds.
See all legal documents at tryvo.io/legal. Questions: kontakt@tryvo.io