Tawqee
Security

Trust is the product.

Tawqee is built so signed records can be defended in court, audited by a regulator, and verified by anyone with the original PDF. Here’s how — concretely.

Encryption

  • TLS 1.3 minimum, HSTS preloaded, modern ciphers only.
  • AES-256 at rest (S3 SSE-KMS).
  • Column-level encryption for PII (MRN, national ID, phone).

Authentication

  • Argon2id password hashing.
  • WebAuthn passkeys + TOTP MFA available.
  • Mandatory MFA for admins; SAML SSO for Enterprise.

Audit trail

  • Hash-chained, append-only `AuditEvent` rows.
  • Tamper detection via verifyEnvelopeAuditChain.
  • RFC 3161 timestamps from a trusted TSA on every signature.

Infrastructure

  • Vercel edge runtime + Neon Postgres + S3 / R2 for blobs.
  • Daily PITR backups; quarterly restore drills.
  • Object Lock (WORM) on the audit bucket.

Monitoring

  • 24×7 alerting on auth anomalies and integrity failures.
  • Sentry + structured logs + uptime probes (target 99.9%).
  • Per-IP and per-user rate limiting on /sign and /api.

Incident response

  • Documented runbook with on-call rotation.
  • 24-hour breach notification to affected customers.
  • Annual tabletop + quarterly recovery drills.

Compliance frameworks

21 CFR Part 11Capable — enable per org
EU eIDAS — SES + AESIn production
EU eIDAS — QESQ3 2026 (via QTSP)
US ESIGN Act + UETAIn production
Saudi PDPLIn production
UAE Federal Law No. 1In production
GDPR / UK GDPRIn production
HIPAA (BAA available)On request
SOC 2 Type IIAudit in progress
ISO 27001Roadmap — Q1 2027

Reporting a vulnerability

We run a coordinated-disclosure program. If you believe you’ve found a security issue, email security@tawqee.com with details and a proof-of-concept. We respond within 24 hours and reward valid reports under our bug bounty (up to $25,000 for critical findings). Please do not disclose publicly until we’ve had a reasonable opportunity to remediate.

Read the full compliance brief

Detailed mapping of 21 CFR Part 11 requirements to Tawqee controls, plus the Validation Plan template and §11.100(c) FDA letter template.

View the trust center →