Security Practices

Last updated: March 7, 2026

1. Overview

At Tolinku, security is foundational to everything we build. As a deep linking platform that processes millions of link clicks and handles business-critical routing configurations, we take our responsibility to protect your data seriously.

This page describes the technical and organizational measures we implement to safeguard the Tolinku platform, your account data, and the analytics we process on your behalf. If you have questions about any of these practices, please contact us at [email protected].

2. Infrastructure Security

2.1 Network Security

  • TLS everywhere: all connections to Tolinku services are encrypted with TLS 1.2 or higher. We do not support unencrypted HTTP connections; all HTTP requests are redirected to HTTPS.
  • CDN and DDoS protection: our services are fronted by Cloudflare, which provides DDoS mitigation, rate limiting, and Web Application Firewall (WAF) capabilities.
  • Reverse proxy: application servers sit behind a reverse proxy layer and are not directly accessible from the public internet.

2.2 Hosting

  • Isolated environments: production, staging, and development environments are fully separated with distinct credentials and network boundaries.
  • Minimal attack surface: servers run only the services required for the platform. Unnecessary ports and services are disabled.
  • Automated deployments: code is deployed through CI/CD pipelines, reducing the risk of human error during deployments.

3. Data Encryption

3.1 In Transit

All data transmitted between your browser (or SDK) and our servers is encrypted using TLS. This includes:

  • Dashboard and API traffic
  • Deep link redirects and click tracking
  • SDK communications
  • Webhook deliveries to your endpoints

3.2 At Rest

  • Database encryption: business data stored in our database layer is encrypted at rest using AES-256.
  • Passwords: user passwords are hashed using bcrypt with a per-user salt. We never store plaintext passwords.
  • API keys: secret API keys are stored in hashed form. Publishable keys are stored in plaintext as they are designed to be included in client-side code.
  • Backups: database backups are encrypted using the same standards as the primary data store.

4. Authentication and Access Controls

4.1 User Authentication

  • Session management: authenticated sessions use secure, HTTP-only cookies with SameSite attributes to prevent session hijacking and CSRF attacks.
  • CSRF protection: all state-changing requests require a valid CSRF token using a double-submit cookie pattern.
  • Password requirements: we enforce minimum password length and complexity requirements at account creation.

4.2 API Authentication

  • API key scoping: Tolinku issues two types of API keys: publishable keys (tolk_pub_) for client-side use and secret keys (tolk_sec_) for server-side use. Each key type has different permission levels.
  • Key rotation: API keys can be regenerated at any time through the dashboard, immediately invalidating the previous key.

4.3 Team Access

  • Role-based access: Appspace members are assigned roles (owner, admin, member) that control what actions they can perform.
  • Appspace isolation: each Appspace is a fully isolated unit. Members of one Appspace cannot access data belonging to another Appspace unless explicitly invited.

5. Data Handling and Retention

5.1 Data Minimization

We collect only the data necessary to provide and improve the Service. We do not use third-party analytics cookies, advertising trackers, or cross-site tracking scripts. Our analytics pipeline is entirely server-side.

5.2 Retention by Tier

  • Free: 7 days of analytics data
  • Standard: 180 days (6 months) of analytics data
  • Growth: 365 days (1 year) of analytics data
  • Scale / Enterprise: up to 730 days (2 years) of analytics data

Account data (configurations, routes, team settings) is retained for as long as your account is active. Upon account deletion, all data is removed from active systems within 30 days.

5.3 Webhook Security

Webhook URLs are validated to prevent Server-Side Request Forgery (SSRF). We block private IP ranges and internal hostnames. Webhook payloads are signed so you can verify they originated from Tolinku.

6. Third-Party Security

We carefully vet all third-party services that process data on our behalf. Our current sub-processors and their security postures:

  • Stripe: PCI DSS Level 1 certified. Handles all payment processing. Tolinku never stores credit card numbers or sensitive financial data.
  • Appwrite: open-source backend platform used for business data storage, authentication, and team management.
  • Amazon Web Services (AWS SES): transactional email delivery. AWS maintains SOC 1/2/3, ISO 27001, and numerous other certifications.
  • ClickHouse: analytics data processing and storage for click, install, and conversion events.
  • MaxMind GeoLite2: IP-to-country mapping for geographic analytics. IP addresses are processed server-side and are not shared with MaxMind.
  • Cloudflare: CDN, DDoS protection, and DNS. SOC 2 Type II, ISO 27001, PCI DSS Level 1 certified.

7. Vulnerability Management

  • Dependency monitoring: we use automated tools to scan for known vulnerabilities in our dependencies and apply patches promptly.
  • Security updates: critical security patches are applied as soon as they become available, typically within 24 hours of disclosure.
  • Code review: all code changes go through review before being merged into production branches.
  • Input validation: we validate and sanitize all user input to prevent injection attacks (SQL injection, XSS, command injection, and other OWASP Top 10 vulnerabilities).

8. Incident Response

We maintain an incident response plan that covers identification, containment, eradication, recovery, and post-incident review. In the event of a security incident:

  • Detection: we monitor our systems for anomalous activity and potential security events.
  • Notification: affected customers will be notified within 72 hours of confirming a data breach, in compliance with GDPR Article 33. Where required by law, we will also notify the relevant supervisory authority.
  • Transparency: we will provide details about the nature of the breach, the data affected, and the steps we are taking to remediate.
  • Post-mortem: every security incident is followed by a thorough review to identify root causes and implement preventive measures.

9. Compliance Posture

  • GDPR: we process data in accordance with the General Data Protection Regulation. We offer a Data Processing Agreement for customers who require one. We support data subject rights including access, rectification, erasure, and portability.
  • CCPA: we comply with the California Consumer Privacy Act. We do not sell personal information. California residents can exercise their rights as described in our Privacy Policy.
  • Data Processing Agreement: our standard DPA is available for all customers on paid plans and incorporates Standard Contractual Clauses (SCCs) for international data transfers.

While we do not currently hold a SOC 2 certification, the practices described on this page reflect our commitment to the security principles that SOC 2 evaluates: security, availability, processing integrity, confidentiality, and privacy.

10. Responsible Disclosure

We value the work of security researchers and welcome responsible disclosure of vulnerabilities. If you believe you have found a security issue in any Tolinku service, please report it to us:

When reporting, please include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any relevant screenshots or proof-of-concept code

We ask that you give us reasonable time to investigate and address the issue before making any public disclosure. We will not pursue legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices.