Security at Tagmaps
Effective date: May 9, 2026 Last updated: May 9, 2026Tagmaps takes the security of customer data seriously. This page summarises how we secure tagmaps.io and our scanning service. It is intentionally specific. If something you need is not covered here, please email security@tagmaps.io.
1. Hosting and infrastructure
Tagmaps runs on Amazon Web Services. The marketing website and scanning service are hosted in AWS regions in the United States. Underlying infrastructure security (physical, network, and platform) is provided by AWS, who hold SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, PCI DSS, and other certifications.
The marketing site is served behind Amazon CloudFront, which provides DDoS protection at the network and transport layers (AWS Shield Standard) and TLS termination at the edge.
2. Encryption
In transit. All traffic to tagmaps.io and our application APIs is served over HTTPS using TLS 1.2 or higher. HTTP requests are redirected to HTTPS at the edge. HSTS is enabled. At rest. Data stored in AWS managed services (Amazon S3, DynamoDB, RDS, Cognito, Secrets Manager, SSM Parameter Store) is encrypted at rest using AWS-managed keys.3. Access controls
Production access is limited to a small number of authorised engineers. Administrative access requires multi-factor authentication. We follow least-privilege principles for IAM roles and revisit access on a regular cadence.
Application secrets (API keys, signing keys, credentials) are stored in AWS Systems Manager Parameter Store as encrypted strings. They are not committed to source control.
4. Application security
We follow standard practices appropriate for our team size:
- Dependency updates are tracked and reviewed.
- Static analysis runs on every push to the main branch.
- Code changes are reviewed before reaching production.
- Forms that accept user input validate at the boundary, and we use parameterised queries throughout.
- Customer-facing pages have a strong content security posture: cookies set by us are scoped to the tagmaps.io domain, and we use the consent-management flow described in our Cookie Notice to gate non-essential third-party scripts.
5. Payments
Payments are processed by Stripe, Inc. Tagmaps does not store, transmit, or process credit card numbers. Card data is collected directly by Stripe in a payment frame and never touches our servers. Stripe is a PCI DSS Level 1 service provider.
6. Subprocessors
We use a small set of third-party service providers for hosting, payments, customer communications, and CRM. The current list, including each provider's purpose and primary location, is in Section 6 of our Privacy Notice. Subprocessors are bound by contract to use customer data only for the services they provide to us, and to maintain appropriate technical and organisational measures.
Customers can request the current list of subprocessors at any time by emailing legal@tagmaps.io.
7. Data retention and deletion
We retain customer data only as long as it is needed for the purposes set out in our Privacy Notice and Terms of Service, or as required by law. Customers can request export or deletion of their data by emailing privacy@tagmaps.io. We respond to verifiable requests within the time periods required by applicable law.
8. Vulnerability reporting
If you believe you have found a security vulnerability in Tagmaps, please report it to security@tagmaps.io. Include enough detail for us to reproduce the issue.
We do not currently operate a paid bug-bounty program. We will acknowledge reports within two business days and keep you informed as we triage and remediate.
When researching vulnerabilities, please:
- Make a good-faith effort to avoid privacy violations, data destruction, and service disruption for other users.
- Do not access data that does not belong to you.
- Do not perform load testing or denial-of-service testing.
- Give us a reasonable amount of time to remediate before public disclosure.
We will not pursue good-faith research that follows these guidelines.
9. Compliance status
Tagmaps does not currently hold third-party security certifications such as SOC 2 or ISO 27001. We are a small team and prefer to be straightforward about that rather than overstate our posture. Customers evaluating Tagmaps for sensitive use cases are welcome to schedule a security review with our team and to request answers to standard security questionnaires.
A Data Processing Agreement covering Tagmaps' obligations as a processor under GDPR, UK GDPR, and applicable US state laws is available on request from legal@tagmaps.io.
10. Changes to this page
We will update this page as our security program evolves. Material changes will be reflected in the Last updated date at the top.