Encryption
All traffic between your browser, our extension, our API, and our servers travels over TLS 1.2 or higher. Data at rest (Postgres database volumes, S3-compatible capture storage on DigitalOcean Spaces) is encrypted by the storage provider.
Security
Security
Last updated: 2026-04-28
Today
What we do today
Redaction
The extension redacts sensitive headers, URL query parameters, URL fragments, and credential-shaped JSON keys client-side before any capture leaves your browser. The same rules are re-applied server-side as a defense-in-depth check. The redaction list is extensible from the extension’s Options page.
Access control
Roles in a workspace are owner, member, and viewer. The role determines who can edit tickets, change billing, manage members, and access audit logs. Authorization is enforced server-side on every request.
Authentication
Passwords are stored as bcrypt hashes. Sessions use signed, HttpOnly cookies with the Lax SameSite attribute. The extension authenticates via OAuth 2.0 with PKCE; tokens are stored in the extension’s local storage and never leave the user’s machine.
Auditing
Mutating actions across the workspace (member changes, role updates, billing events, ticket lifecycle, capture uploads) are written to an append-only audit log retained for 365 days. Owners can export the log as CSV.
Rate limiting
Authentication, OAuth, and write-heavy endpoints are rate-limited per IP. Limits are tuned to bound abuse without affecting normal use.
Data deletion
Soft-deleted tickets and captures are reaped from storage 30 days after deletion. Account-level deletion is available on request from contact@jhmediagroup.com.
Subprocessors
Subprocessors
We rely on the following third parties to operate the service. Each handles a defined data scope under a Data Processing Addendum or equivalent agreement.
| Subprocessor | Service | Data processed | Location |
|---|---|---|---|
| DigitalOcean, LLC | Application hosting, Postgres database, Valkey cache, Spaces object storage | All customer data | United States |
| Stripe, Inc. | Subscription billing, payment processing | Billing and customer record (no card numbers reach Toado) | United States |
| Twilio SendGrid | Transactional email (account verification, magic-link invites, password reset) | Recipient email, subject, body, delivery status | United States |
| Anthropic, PBC | AI-generated ticket titles | Ticket description text only (no screenshots, DOM, console, or network data) | United States |
| Google LLC (Workspace) | Inbound email handling for @toado.dev addresses | Email content of replies sent to Toado | United States |
| Vercel Inc. | Marketing site hosting | Marketing-site request logs only | United States |
Vulnerability disclosure
Vulnerability disclosure
Security researchers can report vulnerabilities to contact@jhmediagroup.com. We acknowledge reports within two business days and aim to resolve confirmed vulnerabilities promptly based on severity.
Not yet
What we do not yet have
We are an early-stage product. The following are not available today: SOC 2 / SOC 3 reports, HIPAA Business Associate Agreements, ISO 27001 certification, single sign-on (SAML / OIDC) for end-user authentication, EU-only data residency. We will update this page when any of these change.