SECURITY
Tiveko
Last updated: February 11, 2026
Your Security Is Our Priority
At Tiveko, protecting our users' data is fundamental. We have designed our infrastructure using industry-leading providers, each with their own certifications and security standards, to ensure your information is protected at every layer.
Infrastructure and Certifications
Payment Processing — Stripe
Tiveko uses Stripe Connect for payment processing. We never store credit card data, bank account numbers, or sensitive financial information on our servers.
- PCI DSS Level 1: Stripe is a PCI DSS Level 1 certified service provider, the highest certification level in the payments industry.
- Tokenization: Payment data is tokenized by Stripe before any processing, ensuring sensitive financial information never passes through our servers.
- Direct payments: Through Stripe Connect, funds go directly to the Organizer's account. MS Themes has no access to or custody of the funds.
- 3D Secure: Support for enhanced payment authentication when required by the issuing bank.
- More information: https://stripe.com/docs/security
Authentication — Clerk
Identity and access management is operated by Clerk, an enterprise-grade authentication platform.
- SOC 2 Type II: Clerk has completed the SOC 2 Type II audit, which verifies the operational effectiveness of its security controls.
- Credential encryption: Passwords are stored using secure hashing algorithms (bcrypt). Clerk never stores passwords in plain text.
- Multi-factor authentication (MFA): Support for two-factor authentication for an additional layer of protection.
- Session management: Secure session tokens with automatic expiration and anomaly detection.
- Social identity providers: Secure integration with Google and other OAuth 2.0 providers.
- More information: https://clerk.com/docs/security/overview
Database — Supabase
All platform data is stored in Supabase, a database platform built on PostgreSQL.
- SOC 2 Type II: Supabase has completed the SOC 2 Type II audit.
- Encryption at rest: All stored data is encrypted using AES-256.
- Encryption in transit: All communications with the database are protected via TLS 1.2+.
- Automatic backups: Daily automatic database backups.
- Row Level Security (RLS): Row-level security policies ensuring each Organization can only access its own data.
- Data isolation: Each Organization operates in a logically isolated environment within the database.
- More information: https://supabase.com/docs/guides/platform/security
Hosting and Network — Vercel
The web application is hosted and distributed through Vercel.
- SOC 2 Type II: Vercel has completed the SOC 2 Type II audit.
- Automatic SSL/TLS: All domains served by Vercel are protected with automatically managed SSL/TLS certificates.
- Global CDN network: Content distributed through a global distribution network for maximum availability and performance.
- DDoS protection: Automatic mitigation of distributed denial-of-service attacks at the network and application levels.
- Edge Network: Serverless functions executed at the edge for minimal latency and maximum isolation.
- Security headers: HSTS, X-Frame-Options, X-Content-Type-Options, and other security headers configured by default.
- More information: https://vercel.com/docs/security
Messaging — Zavu
Transactional email and WhatsApp communications (confirmations, tickets, reminders, notifications) are sent through Zavu, a unified messaging platform.
- TLS encryption for email: All emails are transmitted over TLS-encrypted connections.
- Email authentication: SPF, DKIM, and DMARC configured to prevent identity spoofing and phishing.
- Official WhatsApp Business: WhatsApp messages use Meta-approved utility templates and the official WhatsApp Business infrastructure.
- URL verification: every URL in outbound messages is verified before send to prevent phishing.
- No content storage: message content is not retained after delivery.
- More information: https://zavu.dev
Virtual Events — Zoom
The Zoom integration for virtual events uses the official Zoom API.
- SOC 2 Type II: Zoom has completed the SOC 2 Type II audit.
- AES-256-GCM encryption: Zoom meetings are protected with AES-256-GCM encryption.
- OAuth 2.0 authentication: The connection between Tiveko and Zoom uses the standard OAuth 2.0 protocol. We do not store Zoom credentials.
- Limited integration scope: Tiveko only accesses the Zoom API to create and configure meetings. It does not have access to meeting audio, video, chat, or recordings.
- More information: https://explore.zoom.us/en/trust/security/
Application Security Practices
Access Control
- Roles and permissions: Granular role system that allows Organizers to control what actions each team member can perform.
- Organization isolation: Each Organization is an independent environment. Members of one Organization cannot access data from another.
- Principle of least privilege: Users only have access to the features and data necessary for their role.
Data Protection
- No financial data storage: Payment data is processed exclusively by Stripe. It never touches our servers.
- Dynamic QR codes: Ticket QR codes are generated in the user's browser when viewing the ticket. They are not stored as images on our servers, eliminating the risk of QR file leakage.
- Logos by URL: Organizer logos are referenced by URL, not stored on our servers, minimizing file storage surface.
- Server-side validation: All inputs are validated on the server to prevent injection and data manipulation.
- Mandatory HTTPS: All communication between the user's browser and our servers is encrypted.
Code Security
- Updated dependencies: Continuous vulnerability monitoring in dependencies through automated alerts.
- Environment variables: API keys and credentials are managed as encrypted environment variables, never in source code.
- Verified webhooks: Stripe webhooks are validated with cryptographic signatures to prevent forged requests.
Regulatory Compliance
Tiveko is committed to compliance with applicable data protection laws in the jurisdictions where we operate:
| Regulation | Jurisdiction | Status |
|---|---|---|
| LFPDPPP | Mexico | Active compliance |
| GDPR | European Union | Active compliance |
| CCPA/CPRA | California, USA | Active compliance |
| LGPD | Brazil | Active compliance |
| PCI DSS | Global (payments) | Through Stripe |
For more details on personal data processing, see our Privacy Policy.
Provider Certification Summary
| Provider | Service | SOC 2 Type II | PCI DSS | Encryption at Rest | Encryption in Transit |
|---|---|---|---|---|---|
| Stripe | Payments | ✅ | ✅ Level 1 | ✅ AES-256 | ✅ TLS 1.2+ |
| Clerk | Authentication | ✅ | — | ✅ | ✅ TLS 1.2+ |
| Supabase | Database | ✅ | — | ✅ AES-256 | ✅ TLS 1.2+ |
| Vercel | Hosting/CDN | ✅ | — | ✅ | ✅ TLS 1.2+ |
| Zoom | Virtual events | ✅ | — | ✅ AES-256-GCM | ✅ TLS 1.2+ |
| Zavu | Email + WhatsApp | — | — | ✅ | ✅ TLS 1.2+ |
Vulnerability Reporting
If you discover a security vulnerability in Tiveko, we ask that you report it responsibly. We value the collaboration of the security community to keep our platform safe.
Contact: soporte@tiveko.com Subject: "Security — Vulnerability Report"
We commit to:
- Acknowledging receipt of your report within 48 hours.
- Providing an initial assessment within 5 business days.
- Maintaining transparent communication on resolution progress.
- Not taking legal action against security researchers who act in good faith and follow responsible disclosure practices.
Questions
If you have questions about our security practices or need additional information for a security assessment, contact us at:
Email: soporte@tiveko.com Company: MS Themes, Inc. Website: www.tiveko.com
Last updated: February 11, 2026