Last updated July 16, 2026
Security
This page is maintained by the Togetherward team to answer common security questions about the app. It describes controls that are currently enabled — not a certification, and not independent verification.
Togetherward is a small team in private beta. We do not hold SOC 2, ISO 27001, HIPAA, PCI DSS, or GDPR compliance certifications. Do not treat this page as an audit report. If a specific certification is required for your use case, please contact us through the support page before signing up.
Current security posture
- Tenant isolation is enforced by row-level security tied to case membership, and by private object-storage buckets that only serve short-lived signed URLs.
- Operator access to case content is being actively minimized. We maintain an internal inventory of every code path that can read user content, and an audit of every server-side path that runs with elevated privileges.
- Server-side error logs and telemetry are scrubbed of signed URLs, storage paths, document names, email bodies, note contents, and access tokens before they leave the application.
- New protected content is encrypted on your device before upload once a case has encryption enabled. Shared-note bodies, case-memory bodies, and the file bytes of new document and evidence uploads are encrypted in the browser with a case key that only members can unwrap. Togetherward does not hold decryption keys, and our servers, storage layer, operators, and any automated processing (OCR, AI, previews, intake) cannot read the plaintext.
- Filenames, MIME types, sizes, categories, dates, evidence links, and other structured metadata remain server-readable so search, gap analysis, calendar, and exports keep working. This is not end-to-end encrypted; the E2EE claim applies only to note bodies, memory bodies, and file bytes.
- Automated document processing (OCR, AI extraction, server-side previews) is unavailable for encrypted documents. A future explicit consent flow will be required before any such processor runs on decrypted bytes.
- Any legacy or demo plaintext rows created before encryption was enabled on a case are clearly labeled and are excluded from the end-to-end encryption claim. Pre-launch, we run a diagnostic that fails go/no-go until non-fixture plaintext counts are zero.
- Encryption uses AES-256-GCM with per-file random nonces, per-user random KEKs wrapped by an Argon2id-derived passphrase key, and per-case CEKs wrapped for each member. Losing every device without a recovery kit means encrypted content cannot be recovered — we hold no escrow key.
Access controls
- Every case is protected by row-level security scoped to case membership.
- Partners join a case only via an invite that must match the invited email.
- Case owners are the only accounts that can invite, remove members, or delete a case.
- Destructive actions are enforced server-side, not only in the UI.
- Invite tokens expire and can be revoked at any time by the case owner.
Data storage and transport
- Application data lives in managed Postgres on Supabase (hosted on cloud infrastructure with encryption at rest managed by our provider).
- Uploaded documents live in a private object storage bucket. Downloads use short-lived signed URLs generated only for the requesting member.
- All traffic to togetherward.app is served over HTTPS.
- Application secrets are stored server-side and never sent to the browser.
Authentication
Sign-in uses email/password and Google OAuth via our identity provider. We support password strength enforcement and check credentials against the “Have I Been Pwned” leaked-password list on signup and password change.
Backups and recovery
Our database provider takes automated daily backups with point-in-time recovery inside their retention window. We periodically verify that exports and restores work. Object storage is durable but not versioned beyond the provider’s defaults, so deleted documents cannot be recovered.
Logging and telemetry
Server errors are reported with stack traces stripped of document names, notes, contact information, invite tokens, and signed URLs. Product analytics record aggregate events only and never case content.
Third-party subprocessors
- Supabase — managed Postgres, authentication, and object storage.
- Cloudflare — hosting, edge network, and DNS.
- Stripe — billing.
- Togetherward-hosted email service — transactional email delivery.
Reporting a vulnerability
If you believe you’ve found a security issue, please contact us via the support page. Include a description, reproduction steps, and impact. Do not include real case content or another user’s data. We’ll acknowledge reports and keep you posted on remediation.
Shared responsibility
Togetherward secures the application and the data we store. You are responsible for keeping your login credentials safe, choosing whom to invite to your case, and reviewing what you upload.
Not legal advice.
Togetherward is an organizational and planning tool for couples navigating international immigration paperwork. It is not a law firm, is not affiliated with any government agency, and does not guarantee any immigration outcome, eligibility, or admission. For legal advice, consult a licensed attorney in the relevant jurisdiction.