Security

Protecting your intellectual property.

Last updated: April 21, 2026 · Effective: April 21, 2026

Tailor holds the plans, product data, client records, and AI inputs of interior design firms and their clients. Security isn’t a sales slide for us. It’s the operating assumption. This page summarizes how we protect your data in practice. For contract-grade detail (DPA, subprocessor list, certifications, architecture diagrams), email security@tailor.design.

1. Infrastructure

Tailor runs on a modern managed-cloud stack. Application code is hosted on edge + serverless infrastructure in the United States; the database and storage live on managed Postgres with geographic redundancy. Both rely on providers with independent security certifications (SOC 2, ISO 27001). Compute and storage are isolated from the public internet at the provider level; only narrow, documented endpoints are exposed.

2. Data isolation

Every row in our database is scoped to an organization. We enforce that isolation at the database layer using Postgres Row Level Security (RLS), not just in application code. So a misbehaving server route cannot leak another org’s data even if it wanted to.

  • Per-row ownership: every table that stores project, render, or client data carries an owner_id or organization_id column. RLS policies deny access unless the authenticated user is a member of the org that owns the row.
  • Service-role boundaries: a small set of server-only routes use a privileged service-role key to perform narrow, well-defined operations (e.g. Stripe webhook handling, admin reports). That key never reaches the browser and is scoped to the server runtime.
  • Client-portal tokens: presentation and spec-book links use single-purpose, revocable tokens that only expose the specific content the user opted to share.

3. Encryption

  • In transit: all traffic to tailor.design and our API is encrypted with TLS 1.2 or later. HTTP-to-HTTPS redirects are enforced at the edge, and HSTS is set for modern browsers.
  • At rest: database, object storage, and backups are encrypted with AES-256 using provider-managed keys rotated on the provider’s schedule.
  • Secrets: API keys, webhook secrets, and OAuth credentials are stored in the platform secret manager, scoped per environment, and never committed to source control.

4. Authentication and access

  • User sign-in: email/password with bcrypt-hashed credentials, plus Google single sign-on. Passwords are never stored or logged in plaintext.
  • Session management: short-lived JWT access tokens with refresh tokens rotated on use. Sessions can be revoked from the dashboard.
  • Role-based access: within an organization, each member has one of owner, admin, or member. Billing, member management, and deletion are restricted to owners/admins.
  • Tailor staff access: least-privilege. Engineers use named accounts with MFA required, access is logged, and production data access is gated through break-glass procedures with post-hoc review.

5. AI subprocessors

Our visualization and analysis features send prompts, product images, and floor-plan references to third-party inference providers. We treat the specific stack as confidential, but here’s how we handle your data in transit to and from those providers:

  • Inputs travel over HTTPS directly to the inference endpoint; no third party is proxied between us and the provider.
  • We select providers with contractual commitments to zero or short-retention on API traffic and that prohibit using customer data to train models served to other customers.
  • We do not use your confidential project content to train foundation models available outside your organization. See the Privacy Policy for the full treatment.

6. Payments

Card payments are handled end-to-end by Stripe. Card numbers never touch Tailor’s servers. The browser tokenizes the card through Stripe.js and we only see a payment-method id and a billing summary. Stripe is a Level 1 PCI-DSS service provider.

7. Vendor imports and scraping

When you save products from a retailer site, our scraping service fetches publicly available pages from dedicated IP ranges and only extracts standard product fields (image, title, price, specs). We respect robots-style access controls and the originating sites’ terms where applicable. Scraped content is stored under your organization and subject to the same RLS isolation as everything else.

8. Monitoring, logging, and audit

  • Application + security logs: structured logs with a short retention window for operations, plus a longer-retention audit log for security-relevant events (sign-ins, role changes, admin actions, billing events).
  • Error tracking: exception telemetry with scrubbing of known sensitive fields.
  • Usage monitoring: rate limits on authentication, AI, and write endpoints to contain abuse or runaway automation.

9. Vulnerability management

  • Dependencies are monitored continuously; critical advisories are patched on an expedited schedule.
  • We perform internal security reviews on every material change to authentication, billing, or data-access code paths.
  • External penetration testing is performed on a recurring basis. Summary reports are available under NDA for enterprise customers.

10. Backups and disaster recovery

The primary database is continuously replicated and backed up. We can restore the entire service to a point in time within the retention window. Backups inherit the same encryption-at-rest as the live database, and are tested on a routine schedule.

11. Data retention and deletion

  • While your account is active, your data stays online and accessible to you through the app and our export tooling.
  • Soft-deleted items (renders, videos, projects) move to Trash with a 30-day retention window; permanent deletion follows on the next purge cycle.
  • On account closure, personal information is deleted or de-identified within 30 days. Backups are purged on a rolling 90-day schedule. Aggregated/de-identified data may be retained for quality and reliability.

12. Incident response

We maintain a documented incident-response runbook covering detection, containment, eradication, recovery, and post-incident review. If we learn of a security incident that materially affects your personal information, we will notify you without undue delay and in line with applicable law. Status communications are posted to our status page and/or email.

13. Customer-side responsibilities

Security is a shared responsibility. You help us keep your account safe by:

  • Using strong, unique passwords and enabling two-factor authentication on your email.
  • Revoking access for teammates who leave your firm.
  • Treating shared presentation and spec-book links as sensitive. They grant access to anyone with the URL.
  • Reporting suspected incidents to security@tailor.design as soon as possible.

14. Reporting a vulnerability

If you believe you’ve found a security issue in Tailor, please email security@tailor.design with a description of the issue, steps to reproduce, and any proof-of-concept. We ask that you don’t publicly disclose the issue until we’ve confirmed a fix. We’ll acknowledge reports promptly and coordinate on timelines; we don’t pursue legal action against researchers who report in good faith and follow this policy.

15. Certifications and diligence

Relivo, Inc. maintains an internal security program aligned with SOC 2 Trust Services Criteria and is actively pursuing SOC 2 Type II attestation. Enterprise customers can request our latest security questionnaire, subprocessor list, and DPA by emailing security@tailor.design.

Tailor is a product of Relivo, Inc. © 2026 Relivo, Inc. All rights reserved.