Data & Security
LAST UPDATED: 27 MAY 202601. Infrastructure
Triopia runs on Cloudflare. We use Cloudflare Workers for application logic, Cloudflare D1 for the database, and Cloudflare R2 for object storage. Cloudflare handles edge networking, DDoS protection, and TLS termination.
02. Encryption in transit
All traffic between your device and Triopia is encrypted using TLS over HTTPS, as enforced by Cloudflare. Connections that do not negotiate a current TLS version are not accepted.
03. Encryption at rest
Data at rest is encrypted using AES-256, the default encryption applied by Cloudflare D1 and Cloudflare R2. Cloudflare manages the disk-level keys for these services.
04. Authentication
Sign-in is passwordless. We use one-time email magic links. We do not store passwords, which eliminates the most common credential-theft attack pattern.
05. Session security
After sign-in, your session is held in a short-lived signed token. Tokens expire on a regular cadence, and you can sign out from any device at any time.
06. Workspace isolation
Each workspace is keyed to its owner. Application queries filter by workspace and user identifiers so that data from one account is not returned in queries made by another account.
07. Access by Triopia staff
Production access is restricted to a small number of authorized personnel and used only when needed to operate, repair, or secure the service. Triopia staff do not routinely read your messages, files, or content.
08. Third-party providers
In addition to Cloudflare, we use Stripe for payments and selected AI model providers for assistant features. Data is shared with these providers only as needed to deliver the corresponding feature. Their privacy practices are governed by their own terms.
09. Backups
We rely on the durability properties of Cloudflare D1 and R2 for persistence. We do not promise a custom backup window beyond what those services provide. Critical data should be exported by the workspace owner if a separate copy is required.
10. Vulnerability handling
If you discover a security issue, contact us through the support channel with as much detail as you can share. We take reports seriously and will respond to credible disclosures.
11. Security event notifications
If we detect a security event that materially impacts the data in your workspace, we will notify the affected workspace owner by email. We do not commit to a fixed notification window beyond the requirements of applicable law.
12. Data export
You can request a structured export of the content in your workspace, including messages, contacts, calendar entries, and documents.
13. Account deletion
You can delete your account from settings. When you delete your account, we remove workspace content from active production systems. Residual copies may remain in routine backups for a limited time before being overwritten on their normal rotation.
14. Updates
We update this policy as the product changes. Material changes will be announced inside the product or by email to workspace owners.