Security

TuscanoLabs is built around a small set of concrete security practices we can describe in plain language. This page lists what we actually do — not what we'd like to one day do.

All traffic to TuscanoLabs is served over TLS. Sensitive credentials such as GitHub OAuth tokens are encrypted at rest using AES-GCM with a key managed outside the database. The underlying database storage is also encrypted at rest by our hosting provider.

Every database table that holds customer data has row-level security policies enforcing per-account access. Reports, scan findings, conversion outputs, and stored source files are scoped to the user that created them and cannot be read or modified by other users. API endpoints verify a signed JWT on every request.

Source files uploaded with a scan are stored alongside the report so that conversion preview, Convert All, regeneration, and ZIP download work. These source snapshots are automatically purged 30 days after the scan, or immediately when you delete the report.

Reports themselves are retained until you delete the report or your account. Deleting a report removes the report metadata, findings, converted artifacts, and any source snapshot stored alongside it.

Day-to-day security practices we maintain:

• Rate limiting on expensive endpoints (scans, AI conversion) to prevent abuse
• CAPTCHA (Cloudflare Turnstile) on public scan endpoints
• Sanitized application logs that strip secrets and source content
• Dependency monitoring and routine updates of third-party packages
• Sentry-based crash reporting so we catch and fix issues quickly
• Code review on every change before it ships to production

TuscanoLabs is built on a small number of vetted infrastructure providers. The full list and their roles is in our Privacy Policy.

If you believe you have found a security vulnerability in TuscanoLabs, please report it to security@tuscanolabs.com. We treat security reports as a top priority and will acknowledge receipt as quickly as possible.