An honest account of our security posture. We are early-stage and self-funded. Here is what we do, what we don't yet have, and why we think transparency matters more than polished claims.
Tarkle is a suite of white-label tools for client-facing businesses: Send for file sharing and tracking, Portal for client delivery and billing, and Crew for contractor management. Each product handles different types of data on behalf of businesses and their clients. None of them are consumer products — they are business tools, and we design security accordingly.
Files are uploaded to Tarkle by businesses or their clients. Files are encrypted in transit and stored in Cloudflare. Backblaze B2 provides redundant backups in case of unlikely Cloudflare failure for recovery purposes. Sharing links use cryptographically random tokens. Links can be password-protected, set to expire, or restricted to email-gated access on the Send Professional plan. Recipients access files through a branded portal under the business's own domain — Tarkle is not visible to end clients.
Work orders, deliverables, approvals, and payments are managed between an agency and its clients. Data is stored in Supabase (PostgreSQL on AWS). Client access is scoped strictly per workspace — no workspace can see another's data. All client-facing interactions happen under the agency's custom domain.
Contractor profiles, contracts, invoices, and payment records are stored per workspace. Identity verification for contractors is handled by Veriff (KYC/KYB). Contracts are signed via SignatureAPI. Tarkle never holds or routes payments — all payments go directly between the business and its contractors. Tarkle records the transaction only.
Each service below processes some form of customer data as part of operating the platform. We keep this list minimal.
| Service | Role | Data involved |
|---|---|---|
| Cloudflare, Inc. | CDN, DDoS protection, primary infrastructure | Request routing — no persistent customer data |
| Vercel, Inc. | Application hosting | Hosting infrastructure — no persistent customer data |
| Supabase, Inc. | Database and authentication | User accounts, workspace settings, metadata |
| Backblaze, Inc. | File storage and backups | Uploaded files, encrypted at rest |
| SimpleBackups | Automated backup orchestration | Database backups, encrypted transfer |
| Stripe, Inc. | Payment processing | Payment info handled entirely by Stripe — not stored by Tarkle |
| Plus Five Five, Inc. (Resend) | Transactional email | Email address, notification content |
| Sinch AB (Mailgun) | Transactional email (secondary) | Email address, notification content |
| Veriff OÜ | Identity and business verification (Crew) | ID documents and selfies — processed by Veriff, not stored by Tarkle |
| Youverify | KYB verification (Crew) | Business verification documents — processed by Youverify, not stored by Tarkle |
| Signature API, Inc. | Electronic signatures (Crew) | Contract documents, signature events |
| Vercel Analytics | Web analytics | Anonymised usage patterns, performance monitoring |
| Google LLC | Internal operations | Internal email, calendar, docs — no customer data |
This is a partial list of key sub-processors. For the complete list, see our Privacy Policy.
All connections use TLS 1.3. File uploads, downloads, and API calls are served over HTTPS. Portal and contractor sessions use HTTPS throughout. No data is transmitted in plain text.
All files are stored primarily in Cloudflare with Backblaze B2 providing redundant backups for unlikely recovery scenarios. All files and database records are encrypted at rest using AES-256. All database records in Supabase (user accounts, workspace settings, file metadata, contract records, payment logs) are encrypted at rest using AES-256 managed by Supabase's infrastructure layer (AWS).
User passwords are hashed using bcrypt and never stored in plain text. Authentication is handled by Supabase Auth.
All file sharing links use cryptographically random tokens. Optional password protection adds a second layer. View-only and burn-after-read modes are available on the Send Professional plan.
Tarkle collects only the data necessary to operate the platform. No tracking pixels. No third-party advertising integrations. We do not sell your data or use it for advertising.
Analytics on the marketing site uses Vercel Analytics, which collects anonymised performance data and does not track individuals or create user profiles. No advertising cookies are set anywhere on Tarkle properties.
For Data Processing Agreement requests, visit our contact page.
We are an early-stage, self-funded team. We think honesty here matters more than claims we cannot back up. Here is where we actually stand.
| Item | Status |
|---|---|
| TLS 1.3 in transit | Active |
| AES-256 encryption at rest | Active |
| Cloudflare WAF and DDoS protection | Active |
| Redundant file backups (cross-region) | Active |
| Role-based access controls | Active |
| GDPR compliance practices | Active |
| Privacy-first analytics (no ad tracking) | Active |
| Identity verification via Veriff and Youverify (Crew) | Active |
| Electronic signatures via SignatureAPI (Crew) | Active |
| Two-factor authentication (2FA) | Planned |
| SOC 2 Type II | Planned |
| ISO 27001 | Planned |
| Third-party penetration test | Planned |
| Formal published SLAs (RTO/RPO/uptime %) | Planned |
| Dedicated security operations centre | N/A |
Our infrastructure providers — Cloudflare, Supabase on AWS, Backblaze, and Vercel — maintain their own SOC 2 Type II compliance and security certifications. We inherit the security of that infrastructure layer.
We do not currently publish formal SLAs, RTO/RPO targets, or guaranteed uptime percentages. We are working toward formalizing these as the product matures.
We are a small team. We do not have a dedicated security engineer or a 24/7 security operations centre. We monitor systems, respond to incidents, and apply patches as quickly as our team size allows. If that matters for your use case, you should weigh it accordingly.
If you discover a security vulnerability in Tarkle, please report it responsibly through our contact page. Do not publicly disclose it before we have had a chance to address it.