Tabby is being built to handle money, so security isn't an afterthought. This page describes how we protect the information you share with us on this pre-launch site, and the direction we're building for the app.
Today: the waitlist site
- Encryption in transit — the entire Site is served over HTTPS/TLS. Waitlist submissions travel encrypted end-to-end between your browser and our database.
- Managed database — waitlist entries are stored in a managed PostgreSQL instance. Database access requires a rotating credential known only to the Tabby team, and is restricted by IP allowlist.
- No payment data — we do not collect card numbers, bank details, or any financial information on this pre-launch site.
- Minimal collection — we ask only for the name and phone number needed to reach you at launch.
At launch: the Tabby app
- PCI-compliant payments — card and bank transactions will be handled by a regulated banking-infrastructure partner. Tabby will not store card numbers or account details on our own servers.
- Escrowed settlement — participant funds will be held in a secure escrow account until a tab is fully paid. A one-time virtual card is generated only when the full amount is collected.
- Encryption at rest — personal and transactional data will be encrypted at rest using industry-standard algorithms.
- Authentication — accounts will require phone verification and support device-level biometrics (Face ID / Touch ID / Android biometrics).
Reporting a vulnerability
If you believe you have found a security issue — in this site, in a preview of the app, or anywhere else — please reach out through the "Ask Tabby" chat on the site with details. A dedicated security address will be published here at launch. We appreciate responsible disclosure and will respond as quickly as we can.
Changes
This page will be updated as Tabby's infrastructure evolves toward launch. Material updates will be dated above.