Tabby is built with modern, bank-grade security measures from day one. Because Tabby will handle real money between real people, we treat security as a first-class feature — not a finish-line fix. This page walks through the layered protections already in place on this pre-launch site, and the security posture we're committing to as we move toward the Tabby app itself.
Today: the waitlist site
- End-to-end encryption in transit. The entire Site is served over HTTPS with modern TLS. Every waitlist submission travels encrypted between your browser and our database — never in the clear, never exposed to the networks in between.
- Hardened, managed database.Waitlist entries are stored in a managed PostgreSQL instance from an enterprise-grade infrastructure partner. Access requires a rotating credential that only the Tabby team holds, and traffic is restricted by IP allowlist so the database isn't reachable from the open internet.
- Zero payment data on the marketing site. Nothing to protect is nothing to breach. We do not ask for card numbers, bank details, or any financial information at this stage.
- Minimal collection by design. We only ask for the name and phone number we genuinely need to reach you at launch. Everything optional is optional.
- Continuous monitoring. The site sits behind edge-level rate limiting and request logging, so abnormal traffic is flagged automatically.
At launch: the Tabby app
The app is being architected on the same principles that protect traditional banking products. Some of what we're building in from day one:
- PCI-DSS-compliant payment processing.Card and bank transactions will be handled exclusively by a regulated banking-infrastructure partner. Raw card numbers and account details will never touch Tabby's own servers.
- Escrowed settlement.Participant funds will be held in a secure, regulated escrow account until every person's share of a tab is paid. A one-time virtual card is issued only once the full amount is collected — no one fronts the bill, no one is left chasing.
- AES-256 encryption at rest. Personal and transactional data will be encrypted at rest with industry- standard algorithms. Keys are managed through a dedicated key-management service, rotated on a regular schedule.
- Biometric authentication. Accounts will require phone verification and support device-level biometrics — Face ID, Touch ID, and Android biometrics — so you can lock Tabby down to your device.
- Principle of least privilege. Internally, access to production data is strictly role-based, logged, and audited. No single person holds broad, unreviewed access to user data.
- Third-party review. Before general availability, Tabby will undergo independent security testing — penetration tests and code review — by experienced security professionals.
Reporting a vulnerability
Security is a team sport, and we genuinely appreciate the community that helps make software safer. If you believe you've found a security issue in this site, in a preview of the app, or anywhere else Tabby-related, please tell us. For now, reach out through the "Ask Tabby" chat with the details and we'll route it to the right person. A dedicated security disclosure address will be published here at launch. We commit to responding quickly, fixing verified issues on a clear timeline, and giving researchers public credit when they want it.
Changes
This page will evolve as Tabby's infrastructure matures toward launch and beyond. Material updates will always be flagged here and dated above.