Skip to main content

Security Overview

Tiquo implements enterprise-grade security across all layers of the platform, from authentication to data storage.

Authentication

Clerk Integration

Tiquo uses Clerk for authentication, providing:

Session Management

Secure, short-lived sessions with automatic refresh

Multi-factor Auth

SMS, authenticator app, and backup codes

Social Login

Google, Apple, Microsoft, and more

Enterprise SSO

SAML and OIDC for enterprise customers

Authentication Flow

1

User Signs In

User authenticates via Clerk’s hosted UI or embedded components
2

Session Created

Clerk creates a signed JWT with user and organization claims
3

Token Validation

Each request validates the JWT signature and expiration
4

Context Established

User identity and organization are available in all server functions
// Accessing authenticated user in Convex
export const getData = query({
  handler: async (ctx) => {
    const identity = await ctx.auth.getUserIdentity();
    
    if (!identity) {
      throw new Error("Unauthenticated");
    }
    
    // Access user claims
    const userId = identity.subject;
    const orgId = identity.org_id;
    const email = identity.email;
    const role = identity.org_role;
    
    // Query with organization isolation
    return await ctx.db
      .query("customers")
      .withIndex("by_organization", q => q.eq("clerkOrganizationId", orgId))
      .collect();
  },
});

Authorization

Organization-based Access

All data is isolated by Clerk organization:
LevelScopeDescription
OrganizationTenantComplete data isolation between organizations
LocationSub-tenantLocation-level access control
UserIndividualRole-based permissions within organization

Role-based Access Control

Full administrative access:
  • Manage billing and subscription
  • Add/remove organization members
  • Delete organization
  • Access all data and settings
Administrative access without billing:
  • Manage team members
  • Configure all settings
  • Access all operational data
  • Manage integrations
Location-level management:
  • Manage assigned locations
  • View location analytics
  • Manage staff schedules
  • Handle customer escalations
Day-to-day operations:
  • Create and manage bookings
  • View and edit customers
  • Process payments
  • Access assigned resources
Read-only access:
  • View dashboards and reports
  • View customer information
  • No edit capabilities

Permission Checks

// Role-based permission helper
function hasPermission(identity: UserIdentity, permission: string): boolean {
  const rolePermissions: Record<string, string[]> = {
    'org:admin': ['*'],
    'org:manager': ['read', 'write', 'manage_location'],
    'org:staff': ['read', 'write'],
    'org:viewer': ['read'],
  };
  
  const role = identity.org_role || 'org:viewer';
  const permissions = rolePermissions[role] || [];
  
  return permissions.includes('*') || permissions.includes(permission);
}

// Usage in mutation
export const deleteCustomer = mutation({
  args: { customerId: v.id("customers") },
  handler: async (ctx, args) => {
    const identity = await ctx.auth.getUserIdentity();
    
    if (!hasPermission(identity, 'delete')) {
      throw new Error("Insufficient permissions");
    }
    
    await ctx.db.delete(args.customerId);
  },
});

API Security

API Key Management

Tiquo provides API keys for programmatic access:

Scoped Permissions

Keys can be limited to specific operations

Rate Limiting

Per-key rate limits prevent abuse

Audit Logging

All API calls are logged for compliance

Key Rotation

Easy key regeneration without downtime

API Key Scopes

ScopeAccess
customers:readRead customer data
customers:writeCreate and update customers
orders:readRead order data
orders:writeCreate and manage orders
analytics:readAccess analytics and reports
settings:readRead organization settings
settings:writeModify organization settings

Rate Limiting

TierRate LimitBurst
Free100 req/min10
Pro1,000 req/min100
Enterprise10,000 req/min1,000

Data Protection

Encryption

  • TLS 1.3 for all connections
  • HTTPS enforced across all endpoints
  • Certificate pinning on mobile apps
  • AES-256 encryption for stored data
  • Encrypted backups
  • Key management via cloud provider HSM
  • Environment variables for sensitive config
  • No secrets in source code
  • Automatic secret rotation support

Data Retention

Data TypeRetentionNotes
Active DataIndefiniteWhile account is active
Deleted Records30 daysSoft delete, then permanent
Activity Logs90 daysAudit and compliance
Analytics2 yearsAggregated, anonymized
Backups30 daysPoint-in-time recovery

Webhook Security

Signature Verification

All outgoing webhooks include a signature for verification: 
// Webhook signature format
const signature = crypto
  .createHmac('sha256', webhookSecret)
  .update(JSON.stringify(payload) + timestamp)
  .digest('hex');

// Header format
headers['X-Tiquo-Signature'] = `t=${timestamp},v1=${signature}`;

Verification Example

function verifyWebhook(
  payload: string,
  header: string,
  secret: string
): boolean {
  const [timestampPart, signaturePart] = header.split(',');
  const timestamp = timestampPart.split('=')[1];
  const signature = signaturePart.split('=')[1];
  
  // Check timestamp is recent (5 minute window)
  const age = Date.now() - parseInt(timestamp) * 1000;
  if (age > 300000) return false;
  
  // Verify signature
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload + timestamp)
    .digest('hex');
  
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

Infrastructure Security

Hosting

Vercel

  • SOC 2 Type II compliant
  • GDPR ready
  • Automatic SSL certificates
  • DDoS protection

Convex

  • SOC 2 Type II compliant
  • Encrypted at rest
  • Point-in-time recovery
  • Multi-region replication

Network Security

  • All traffic over HTTPS
  • IP allowlisting available for Enterprise
  • WAF protection against common attacks
  • Regular security scanning

Compliance

Standards

StandardStatus
GDPRCompliant
SOC 2 Type IIVia hosting providers
PCI DSSVia Stripe
CCPACompliant

Data Subject Rights

Tiquo supports GDPR data subject rights:
Export all data associated with a customer or user
Correct inaccurate personal data
Delete personal data upon request
Export data in machine-readable format

Security Best Practices

1

Enable MFA

Require multi-factor authentication for all team members
2

Use Least Privilege

Assign the minimum role needed for each team member
3

Rotate Keys Regularly

Regenerate API keys on a regular schedule
4

Monitor Activity

Review audit logs for suspicious activity
5

Keep Software Updated

Update mobile apps and integrations regularly

Reporting Security Issues

If you discover a security vulnerability:
  1. Do not disclose it publicly
  2. Email [email protected]
  3. Include detailed reproduction steps
  4. Allow us time to investigate and fix
We commit to:
  • Acknowledging reports within 24 hours
  • Providing updates on investigation progress
  • Crediting reporters (if desired) after fix
For general support questions, contact [email protected].