Last updated: May 16, 2026
This document describes the security practices applied by Tarello to protect Customer data and the Service infrastructure.
1. Per-microservice isolation
Each microservice runs in separate containers, with its own database, encryption keys and private network. A project cannot access data or resources from another project, even within the same Customer, without explicit permission.
2. Encryption
- In transit: TLS 1.3 required on all API connections. Certificates auto-renewed.
- At rest: data stored on encrypted volumes (AES-256). Backups also encrypted.
- Passwords: stored with Argon2id; never in plain text.
- JWT tokens: unique signing key per project, rotatable.
3. Internal access control
Tarello team access to infrastructure follows the principle of least privilege. Every administrative action is logged in the internal audit trail. Access to Customer Content requires prior approval and documented justification.
4. WAF and attack protection
All requests pass through a Web Application Firewall with OWASP Top 10 rules. Rate limiting per IP and per project mitigates brute force and abuse. DDoS attacks are absorbed by the CDN layer.
5. Backups
Automatic daily backups, retained for 30 days. Restoration within 24h upon request. For the Enterprise plan, extended retention to 90 days and restoration within 4h.
6. Audit
The Audit microservice immutably records who did what and when across all project microservices. Logs are available to the Customer via API and to Tarello's security team in case of incident.
7. Incident response
In case of a security incident with potential impact on Customer data, Tarello notifies within 72h via Console and email, with a description of what happened, affected data and corrective actions. See also the DPA at /legal/dpa.
8. Reporting vulnerabilities
Found a vulnerability? Write to hello@tarello.io with the subject "Security report". We acknowledge receipt within 48h. We do not publish vulnerabilities before they are fixed.