Tiptap is trusted by thousands of developers and enterprises to build and host collaborative document experiences. Security is foundational to how we build and operate our platform.
Tiptap has achieved SOC 2 Type II compliance. An independent third-party audit has verified our security controls across availability, confidentiality, and security. The latest report is available upon request via our Trust Center
Tiptap is fully GDPR compliant. We provide a Data Processing Agreement (DPA) for customers who require one. Our Privacy Policy details how we collect, process, and protect personal data.
Tiptap adheres to the EU-U.S. Data Privacy Framework principles for transatlantic data transfers.
Our services are hosted on Hetzner infrastructure across multiple regions. For customers with data residency requirements, we offer EU-only hosting to ensure your data never leaves European jurisdiction.
Tiptap employs multiple layers of network protection:
At rest:
All customer data is encrypted at rest using AES-256. Encryption happens at both the application level and within our databases, with separate private keys for each environment.
In transit:
All data transmitted to and from Tiptap services is encrypted using TLS. We enforce HTTPS across all endpoints.
Application-level encryption:
Sensitive data is encrypted within the application before storage, providing an additional security layer beyond database encryption.
All customer data is backed up regularly with point-in-time recovery capabilities. Backups are:
Customer data is logically isolated at the application and database levels. Each customer's documents and collaboration data are segregated to prevent cross-tenant access.
The Tiptap Cloud dashboard supports granular role-based permissions, allowing you to control who can access and modify your organization's resources, billing, and settings.
Tiptap employees operate under the principle of least privilege. Access to production systems and customer data is restricted, logged, and auditable. We conduct regular access reviews and require multi-factor authentication for all internal systems.
We engage independent security firms to conduct regular penetration tests of our infrastructure and applications. Enterprise customers can request access to our latest penetration testing summary upon request.
Our CI/CD pipelines include automated dependency scanning to identify and remediate known vulnerabilities in third-party packages before deployment.
We maintain continuous monitoring of our systems for security anomalies, with automated alerting and incident response procedures.
If you discover a security vulnerability in Tiptap, please report it to security@tiptap.dev. We take all reports seriously and will respond promptly.
Tiptap uses Paddle to process payments. We do not store or process credit card information on our servers. Payment information is handled securely by Paddle, our payment processor and merchant of record.
We target 99.9% uptime for our cloud services. Real-time and historical status is available at status.tiptap.dev.
We maintain documented incident response procedures. In the event of a security incident affecting customer data, we will notify affected customers in accordance with our contractual obligations and applicable law.
For the latest compliance documentation, audit reports, and security questionnaire responses, visit our Trust Center.
Where is my data stored?
Customers can choose to store their data in either European or US data centers (Hetzner). Enterprise customers can request specific data residency configurations.
Is Tiptap SOC 2 compliant?
Yes. Tiptap has achieved SOC 2 Type II compliance. Reports are available upon request via our Trust Center.
Is Tiptap GDPR compliant?
Yes. We offer a Data Processing Agreement (DPA) and our infrastructure supports EU-only data residency.
Does Tiptap encrypt my data?
Yes. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+), with application-level encryption for sensitive data.
Does Tiptap conduct penetration testing?
Yes. We engage third-party security experts to conduct regular penetration tests. Summary reports are available to enterprise customers upon request.
How do I report a security vulnerability?
Please email security@tiptap.dev. We take all reports seriously and respond promptly.
Can I get a copy of the SOC 2 report?
Yes. Contact us or visit our Trust Center to request access.
Does Tiptap use subprocessors?
Yes. A list of our subprocessors is available upon request or through our Trust Center.
Does Tiptap offer a DPA?
Yes. Contact us at humans@tiptap.dev to request our Data Processing Agreement.
