tideflow. docs

Security & Privacy

Security overview

Review Tideflow's high-level hosting, authentication, and security posture before deployment or review.

Last updated: 2026-03-27

Hosting and infrastructure

Tideflow runs on established cloud infrastructure providers. The web application and marketing site are hosted on Vercel. The backend database and authentication layer run on Supabase. Voice processing uses secure, real-time connections through Twilio and OpenAI.

All production traffic is served over HTTPS. Data in transit is encrypted using TLS. Data at rest is encrypted by the underlying infrastructure providers.

Authentication

Tideflow uses secure, token-based authentication provided by Supabase Auth. There are no plain-text passwords stored. Sessions are managed with short-lived tokens and are scoped to the authenticated user's workspace.

Workspace owners verify their phone number during onboarding, which confirms their identity and enables features like self-notes.

Webhook security

Outbound webhook deliveries can include HMAC signatures so your receiver can verify that the request came from Tideflow and was not tampered with in transit. See webhooks for more detail.

Data access

Each Tideflow workspace is isolated. Users can only access data within their own workspace. Row-level security policies enforce this at the database level, meaning that even if a query were constructed incorrectly, users could not access another workspace's data.

Third-party services

Tideflow uses the following third-party services in its production stack:

  • Vercel— Application hosting and edge delivery
  • Supabase— Database, authentication, and serverless functions
  • Twilio— Phone number provisioning and call routing
  • OpenAI— AI voice model for the receptionist
  • Stripe— Payment processing and billing

Each provider has its own security certifications and compliance programs. Tideflow selects providers that meet industry-standard security practices.

What Tideflow does not do

  • Tideflow does not sell or share customer data with third parties for marketing
  • Tideflow does not store payment card details directly (handled by Stripe)
  • Tideflow does not send unsolicited outbound SMS or calls

Further review

If you need more detail for a security review, compliance questionnaire, or vendor assessment, contact security@tideflow.au. Tideflow is happy to engage with reasonable security review requests from customers and prospects.

For information about how long data is retained and how to request deletion, see retention and deletion.

Next up

Retention and deletion

Understand how data retention and deletion are handled at a high level for customer-facing support needs.