Security

Trovari helps you track what you own, where it's stored, and what it's worth. That means trusting us with information about your valuable belongings — and we treat that responsibility accordingly.

This page describes how we protect your data. We believe in being specific rather than vague, and honest about what we do and don't do.

Encryption

• At rest — All data, including database storage and backups, is encrypted using AES-256. Encryption keys are generated per project and protected by FIPS 140-2 compliant hardware security modules (HSMs).
• In transit — Every connection to Trovari uses TLS 1.2 or higher. All API traffic is HTTPS-only — unencrypted connections are never accepted.

Infrastructure

Trovari is built on Supabase, which maintains SOC 2 Type II certification with annual independent audits. Supabase runs on Amazon Web Services (AWS), which maintains its own extensive compliance program including SOC 2 and ISO 27001 certifications.

• Database backups — Automatic daily backups with point-in-time recovery capability.
• DDoS protection — Network-level DDoS mitigation via Cloudflare, with brute-force prevention on authentication endpoints.
• Hosting region — Data is stored in AWS data centers in the United States.

Tenant Isolation

Trovari is multi-tenant from the ground up. Every space (household, family, or organization) is isolated at the database level using PostgreSQL Row Level Security (RLS) policies. This means:

• Database-enforced boundaries — RLS policies run inside the database engine itself — not in application code. Even if application logic had a bug, the database would still prevent cross-tenant data access.
• Every table, every query — RLS is enforced on every tenant-scoped table. There are no exceptions or bypass paths for convenience.
• Role-based access — Within a space, members have specific roles (viewer, member, manager, admin, owner) that control what they can see and do.

Authentication

• Secure password storage — Passwords are hashed using bcrypt — we never store plaintext credentials.
• OAuth support — Sign in with Google is available as an alternative to email and password.
• Session management — Authentication tokens are managed by Supabase Auth with automatic expiration and secure refresh handling.

Your Data

We collect only what's necessary to run the service. Here is what we do not do with your data:

• We do not sell your data to third parties.
• We do not share your data with advertisers.
• We do not use your inventory data to train AI models.
• We do not access your data unless required for support you've requested or to maintain the service.

You can export your data or request deletion at any time by contacting us.

Payment Processing

We never store credit card numbers or payment credentials on our servers. All payment processing is handled by Stripe, which is PCI Level 1 certified — the highest level of certification in the payments industry.

Application Security

• Input validation — User input is validated and sanitized on both client and server to prevent injection attacks.
• Dependency monitoring — Third-party dependencies are monitored for known vulnerabilities and updated regularly.
• Least privilege — Internal services and database connections follow the principle of least privilege — each component only has access to the data it needs.

Responsible Disclosure

If you believe you've found a security vulnerability in Trovari, we want to hear about it. Please email us at security@trovari.ai and we'll respond promptly.

We appreciate responsible disclosure and will work with you to understand and address any issues.