Security

This page is the public-facing summary. The full security policy lives at toado.dev/security. For incident reports or coordinated disclosure, see Contact.

In transit

• All traffic between clients (web app, extension, MCP server) and the Toado backend is HTTPS only. HTTP is not supported.
• TLS 1.2 minimum, TLS 1.3 preferred. Modern cipher suites only.
• Certificate management is handled by Vercel’s edge.

At rest

• Postgres for all relational data, encrypted at rest by the managed provider.
• Captured screenshots and attachments live in object storage (S3-compatible, encrypted at rest).
• API tokens are hashed; the plaintext is shown once at creation and is not recoverable.
• Passwords: there are no Toado passwords. Sign-in is OAuth (Google) or email magic links. There is nothing for an attacker to brute-force.

Auth

• Web app sessions: short-lived cookies, refreshed against the auth provider on idle.
• Extension auth: OAuth handoff to the web app, returns a session bound to the extension’s local storage.
• MCP and REST: Bearer tokens in the Authorization header. See API tokens.
• All write operations record the calling identity (user id, token id, token label) on the resulting row.

Multi-tenant isolation

• Every row in every table is scoped to a company id.
• Queries are filtered server-side by the calling user’s company memberships; there is no shared “all companies” view.
• Tokens can be restricted further (to specific companies or projects); restricted tokens never see rows outside their scope, including in search.
• Cross-company moves of tickets are forbidden in the API regardless of token scope.

Trust boundary, in plain English

What you trust Toado with when you capture a page:

• The screenshot pixels.
• The console output the page produced since extension load.
• The network requests the page made since extension load (including bodies up to a size cap, and including any sensitive data those bodies contain).
• The URL.

What we do not see:

• Cookies, local storage, IndexedDB.
• Form input values (we do not capture what you type).
• Pages other than the active tab at the moment of capture.
• Anything from a tab you did not capture from.

See Permissions & privacy for the extension’s specific permission usage.

Redaction

The annotation toolbar’s redact and blur tools mask the rendered image. The raw screenshot bytes still exist on the server.

For genuine pre-upload redaction, use Redact image regions on capture in Extension options. When that is on, the redaction is baked in before the bytes leave your machine.

For sensitive content you must not have on the server: do not capture the page.

Auto-redaction is best-effort

Pattern-based auto-redaction (emails, bearer tokens, custom regex) catches the common cases in network bodies and headers. It is not a substitute for treating sensitive data carefully.

Logging and audit

• Every API call is logged with the calling token id, IP, user agent, and operation.
• Write operations additionally record the resulting state diff for tickets and comments.
• Logs are retained per the data retention policy.
• Owners can request an audit log export from Settings › Audit log (when shipped).

Incident reporting

If you believe you have found a security issue:

1. Email security@toado.dev with a description, reproduction steps, and (optionally) a suggested fix.
2. We will respond within 48 hours.
3. We do not run a paid bug-bounty program in v1; we will publicly credit reporters who request it.

Please do not file public GitHub issues or social-media posts before contacting us.

Compliance

Toado is in early-stage growth. We do not currently hold SOC 2, ISO 27001, or HIPAA certifications. The roadmap includes SOC 2 Type II once we have customer pull for it.

For DPA, see toado.dev/dpa.

Where to next

• Permissions & privacy for the extension data boundary.
• Data retention for what we keep and for how long.
• Contact for security questions.