Home

Security & Data Protection Policy

Last Updated: October 14, 2025

Company: Dark Zorse Ltd (Operating as Tulo)

Introduction

From day one, Tulo has been committed to building enterprise-grade security into our product and operations. This document provides transparency into how we protect customer data and maintain security across our platform.

TABLE OF CONTENTS

  1. Introduction
  2. Compliance Roadmap
  3. Infrastructure & Technology
  4. Data Protection Measures
  5. Access Controls & Authentication
  6. Vulnerability Management
  7. Insurance
  8. Security Contact

2. Compliance Roadmap

We are currently implementing security controls aligned with ISO 27001 and SOC 2 requirements.

  • Current Status: Implementing security controls and building comprehensive security policies.

  • Target Certification: We are targeting ISO 27001 certification and SOC 2 Type 1 attestation by January 2026.

3. Infrastructure & Technology

Tulo's platform uses a modern, cloud-based stack built from leading infrastructure providers and developer tools:

  • AWS: Cloud functions, email processing, and AI.

  • Convex.dev: Backend-as-a-Service for serverless functions and real-time database.

  • Next.js + Vercel: Frontend framework and hosting for web app and API routes.

  • PlanetScale (Postgres): Primary relational database for structured data.

  • Clerk: Enterprise-grade user authentication and access control.

4. Data Protection Measures

We classify data into Public, Internal, Confidential (Customer account info), and Restricted (Financial transaction data) categories. We implement encryption at multiple levels:

Encryption

  • At Rest: All databases are encrypted using AWS RDS encryption with AES-256. Encryption keys are managed through AWS Key Management Service (KMS).

  • In Transit: TLS 1.2+ is enforced for all data transmissions, and HTTPS is required for all web traffic.

  • Application-Level: Sensitive fields have additional application-level encryption where encryption/decryption occurs within the application layer.

Data Retention

Customer data is retained only as long as necessary for business purposes, with secure deletion procedures when accounts are terminated.

5. Access Controls & Authentication

For Authorization and Authentication controls, we use:

  • Authentication: Strong password policies and Multi-Factor Authentication (MFA) required for administrative access.

  • Identity Management: We utilize Clerk for secure user management.

  • RBAC: Role-based access control is applied with the principle of least privilege.

  • OAuth 2.0: Industry-standard secure authorization is used for integrations with Xero and QuickBooks.

6. Vulnerability Management

  • Scanning: Automated vulnerability scanning provided by GitHub, with weekly assessments.

  • Patching: Automated patch deployment for critical security updates and immediate scanning after major system changes.

7. Insurance

To complement our security protocols, Dark Zorse Ltd maintains commercial insurance policies tailored to a regulated environment.

  • Cyber Liability: Coverage for breach response and regulatory defense.

  • Professional Indemnity: Coverage for errors and omissions.

  • Directors & Officers: Standard D&O coverage.

8. Security Contact

For questions regarding our security posture or to report a vulnerability, please contact our Data Protection Officer:

Andrew Arderne
CTO & DPO
Email: andrew@tulo.co
ICO Reference: CSN2142333