Security at Tuttle

Tuttle is a medical records request platform built for law firms. We take the security of our customers' data seriously. This page describes our security practices and how to report vulnerabilities.

Reporting a Vulnerability

If you believe you've found a security vulnerability in Tuttle, please contact us at jason@tuttle.work. We ask that you:

  • Provide a clear description of the vulnerability and steps to reproduce it

  • Allow reasonable time for us to investigate and address the issue before public disclosure

  • Avoid accessing or modifying other users' data

  • Act in good faith

We will acknowledge receipt within 3 business days and aim to provide an initial assessment within 10 business days. We will not pursue legal action against researchers who follow these guidelines.

Infrastructure

  • Hosted on Google Cloud Platform with network-isolated database instances (no public access)

  • All data encrypted in transit (TLS) and at rest

  • Secrets managed via GCP Secret Manager — never stored in code or environment files

  • Multi-environment isolation (development, staging, production) with separate GCP projects

  • Administrative access restricted to IAP-tunneled connections

Authentication

  • Passwordless authentication using passkeys (WebAuthn standard) — no passwords are stored or transmitted

  • Session-based access with server-side session management

  • Role-based access control at both system and firm levels

  • API keys hashed with Argon2id and rate-limited to prevent brute force

Data Protection

  • Row-level security (RLS) enforced at the database layer, ensuring tenant isolation

  • Least-privilege database access via three connection pools with different permission levels

  • Comprehensive audit logging of all data modifications, including user identity, timestamps, and changed fields

  • Files stored in private cloud storage buckets with access controls

Application Security

  • Type-safe database queries via code generation (SQLC), eliminating SQL injection

  • Rate limiting on authentication and API endpoints

  • Strict CORS policy restricted to application origins

  • Input validation at API boundaries

Compliance

Tuttle handles medical records on behalf of law firms. Our security controls are designed to meet the requirements of handling sensitive health and legal information.

Contact

For security concerns: jason@tuttle.work For general support: support@tuttle.work