Security

How we protect your data

Security isn't a feature we bolt on later. It's built into how we write code, deploy infrastructure, and operate as a company.

Secure development

  • Every commit scanned automatically with AI-powered security analysis (Claude Code Security Checker)
  • OWASP Top 10 testing as part of our development workflow
  • Dependency vulnerability scanning on every build
  • Code review required on all changes before merge

Data protection

  • All data encrypted in transit (TLS 1.2+)
  • All data encrypted at rest (AES-256)
  • Database backups encrypted and geographically redundant
  • Strict access controls — principle of least privilege

Infrastructure

  • Hosted on Vercel and AWS with enterprise-grade reliability
  • Automatic scaling and DDoS protection
  • Environment separation (production, staging, development)
  • Infrastructure as code — all changes tracked and auditable

Access & authentication

  • SSO support for enterprise customers
  • Role-based access control (RBAC)
  • Session management with secure token handling
  • Multi-factor authentication available

GDPR compliance

Tenhaw is built with GDPR compliance as a core requirement, not an afterthought. We are a UK-registered company and process data in accordance with UK GDPR and the Data Protection Act 2018.

  • Data Processing Agreements (DPAs) available for all customers
  • Clear data retention policies with automated deletion
  • Right to access, rectification, and erasure honoured within 30 days
  • Data portability — export your data at any time in standard formats
  • Sub-processor list available on request
  • Privacy impact assessments conducted for new features

Compliance roadmap

We're transparent about where we are today and where we're heading.

GDPR compliant (UK GDPR & Data Protection Act 2018)
OWASP Top 10 security testing
AI-powered security scanning on every commit
Encrypted at rest and in transit
Role-based access control (RBAC)
SSO support
SOC 2 Type II — in progress
ISO 27001 — in progress

Enterprise penetration testing

We understand that enterprise customers may require independent penetration testing before onboarding. We're happy to facilitate this.

  • We can arrange third-party penetration testing for enterprise customers
  • Testing costs are passed through at cost — we're a startup and want to be transparent about this
  • Results are shared in full with no redactions
  • Remediation timelines agreed collaboratively

Data residency

By default, Tenhaw data is stored and processed in EU/UK regions. For enterprise customers with specific data residency requirements, we can discuss options as part of onboarding. Contact us at security@tenhaw.com for details.

Responsible disclosure

If you discover a security vulnerability, please report it to security@tenhaw.com. We take all reports seriously and will respond within 48 hours. We ask that you give us reasonable time to address the issue before public disclosure.

Questions about security?

We're happy to discuss our security practices in detail, provide a DPA, or walk through our compliance roadmap with your security team.

Email security@tenhaw.comContact us