← Back to TentPole
Security & Responsible Disclosure
How TentPole protects your data and how to report security issues.
Effective: June 23, 2026 · Version: 1.0
1. Our Security Practices
- Encryption in transit: TLS 1.2+ everywhere (HSTS enforced)
- Encryption at rest: Database storage encrypted (AES-256)
- Row-level security: Multi-tenant isolation enforced at the database
- Access controls: Production access requires MFA; least-privilege roles
- Payment data: Not stored — handled by PCI-DSS compliant third parties (currently PayPal)
- Monitoring: Error tracking, audit logging, anomaly detection
- Backups: Daily encrypted backups, 30-day retention, restore tested quarterly
- Dependency security: Automated scans, prompt patching of critical CVEs
- Incident response: Documented procedures, 72-hour breach notification
2. Reporting a Vulnerability
We welcome reports from security researchers. Please email security@thetentpole.com with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your contact info (for follow-up and credit)
3. Safe Harbor
If you make a good-faith effort to comply with this policy, we will:
- Not pursue legal action against you
- Work with you to understand and address the issue quickly
- Recognize your contribution (with your permission)
4. Scope
In scope:
- thetentpole.com and subdomains
- TentPole APIs
- Mobile applications (when launched)
Out of scope:
- Third-party services (PayPal, Supabase, Sentry — report directly to those vendors)
- Social engineering of TentPole staff or customers
- Denial-of-service attacks
- Physical security
- Issues requiring extensive user interaction or privileged network position
- Best-practice findings without demonstrable security impact
5. Rules of Engagement
While testing:
- Do not access, modify, or delete other users' data
- Do not disrupt the Service for other users
- Use only your own test accounts
- Stop testing immediately if you encounter sensitive data; report and discontinue
- Do not publicly disclose until we have had a reasonable time to investigate and respond (typically 90 days)
6. Recognition
We do not currently operate a paid bug bounty program. Verified, in-scope reports may be acknowledged in a public researchers list with your permission.
7. PGP Key
For sensitive disclosures, request our PGP key from security@thetentpole.com.