We're pre-SOC2 and honest about it. Here's what's in place, what's roadmapped, and the target date for every gap. This page is the source-of-truth for the customer-facing posture referenced in our DPA §9.3 acknowledgement. It is not counsel-reviewed yet — that pass is next.
All traffic to api.travelminds.ai and
travelminds.ai is TLS 1.2+ only via Cloudflare in
Full-Strict mode. API keys hash with Argon2id at rest; only the
key's prefix (used for revocation lookup) is stored in cleartext.
Database at-rest encryption posture today is the host filesystem encryption layer (LUKS on the dev environment; the production hosting plan is documented under S6 Hetzner ANTICIPATED). Customer-uploaded artifacts (export bundles, on-prem Parquet deltas) are encrypted with per-Customer keys before leaving Provider infrastructure.
API keys follow the tmai_live_<prefix>.<secret>
format. The prefix is publicly visible (used in dashboard +
revocation UI); the secret is never recoverable after issue. All
database access in the gateway path runs under the bound
tmaiv2_api Postgres role, which is RLS-policy-restricted
to the rows the calling tenant is licensed to read.
Provider-personnel access today is keyed via single-key-per-engineer and MFA-enforced on the cloud control plane. GAP — B.2.a GAP — B.2.b Centralised personnel offboarding checklist + rotation policy are roadmapped (see §F).
Customer-side key permissions are coarse-grained today (every
issued tmai_live_* key has full read of the tenant's
licensed surface). GAP — B.4
Per-key scoping is on the §F roadmap, target pre-first EU DMO
contract.
Every commercial-table row in TravelMindsAI carries a
license_tag. The 16-class registry classifies sources
as commercial-OK (Apache-2.0, CC0, CC-BY-4.0, ODbL,
michelin_licensed, and others) or blocked
(Yelp non-commercial, default-deny, unclear-pending-review). A
Postgres row-level security policy enforces the per-tenant
enabled-license whitelist at query time — your tenant never reads
a row from a license class you can't legally use.
Concierge answers ship with a citations.data_sources
block on every response: each row referenced carries its license
tag inline. Your compliance review reads minutes of citations,
not weeks of legal interpretation.
Full registry + filtering rules in the license posture section above and in the API reference.
Cloudflare fronts every Provider endpoint with the OWASP managed WAF ruleset enabled. Origin connections are bound to the Cloudflare backbone (no public Postgres exposure; the database listens on the local Docker bridge only).
Background ingestion (the W-numbered ETL fleet) runs entirely on the Provider's dev infrastructure today. No Customer query path crosses ingestion; the customer-facing gateway reads from a license-filtered view, never from raw scrape buffers.
The on-prem deployment package (currently piloted with Bihar Tourism) ships the same gateway + Concierge surface on a single-GPU Docker compose stack with weekly Parquet refresh. Air-gapped variant available for the highest residency posture.
The current list of Approved Sub-processors lives at /legal/sub-processors. Categories include LLM inference (CONDITIONAL — opt-in cloud Concierge), billing (Paddle + Razorpay), edge / CDN (Cloudflare), source hosting (GitHub), and ANTICIPATED entries for production hosting (Hetzner) and transactional email (Resend).
We provide thirty (30) days' advance written notice before moving
an ANTICIPATED entry to ACTIVE, per DPA §7.3. A machine-readable
JSON of the current list is published at
/legal/sub-processors.json
for change-watch automation.
Application + gateway logs are collected to the Provider's logging tier today. GAP — D.1.a Shipping those logs to a separate, tamper-evident store is roadmapped, target pre-first EU DMO contract. GAP — D.1.b A SIEM / log-analytics platform is best-effort 12 months. GAP — D.2 Customer-self-service audit-log download is best-effort 12 months.
We're transparent that this is the lowest-maturity area of the posture. The mitigation today is small-blast-radius: pre-revenue means a small, well-known set of access patterns; the gateway is a single deployable; suspicious access shows up in low-volume logs an engineer reviews directly.
Personal-data-breach notification ladder follows GDPR Article 33 (72-hour Customer notification) and DPDP Act §8(6) (Indian Data Protection Board notification within prescribed time). Provider maintains an internal triage / containment timeline:
The reportable channel is [email protected]
(Cloudflare Email Routing to founder). DPDP grievance channel is
[email protected]
per the DPDPA §13 grievance officer requirement.
Every GAP marker on this page corresponds to a row below with a target window. This table is the source-of-truth for "what we promised by when" and is referenced verbatim in our DPA §9.3 acknowledgement.
| Gap ID | Description | Target |
|---|---|---|
| C.2 | Off-site backup with documented retention | Pre-first Tier-3 contract |
| C.3 | DR runbook with RTO / RPO commitments | Pre-first Tier-3 contract |
| D.1.a | Audit-log shipping to tamper-evident store | Pre-first EU DMO contract |
| D.1.b | SIEM or log analytics platform | Best-effort 12 months |
| D.2 | Customer-self-service audit-log download | Best-effort 12 months |
| E.4 | Third-party penetration test | Pre-first EU DMO contract or Q3 cal-2026 |
| A.3 | Concierge query PII redaction at gateway | Pre-first EU DMO contract |
| B.2.b | Documented offboarding checklist | 90 days |
| B.4 | Per-key scoping | Pre-first EU DMO contract |
Targets shift when delivery context shifts (e.g. an EU DMO closes
before our internal cal-2026 plan). Updates ship as a new version
pill at the top of this page, with the changelog kept in
legal/templates/security_measures.md §F.
Direct links to the contractual artifacts referenced above:
CAIQ-Lite (Cloud Security Alliance Consensus Assessment Initiative,
pre-filled with our current posture) is a procurement follow-up
— request via [email protected] and we'll
return a sized response within five business days. The
questionnaire is published at v4.0.3 by CSA and includes ~80
controls across A&A, AIS, BCR, CCC, CEK, DSP, GRC, HRS, IAM,
IPY, IVS, LOG, SEF, STA, TVM, UEM.
Security reports / questionnaires: [email protected]
DPDP grievance officer (India): [email protected]
General: [email protected]