Our Security Principles

We believe security isn't just a feature—it's a foundation. Every decision we make considers the privacy and protection of your data first.

Encryption at Rest

All your calendar data is encrypted when stored. Even if someone gained access to our databases, your information would be unreadable.

Encryption in Transit

All connections to Tilly use TLS 1.3 encryption. Your data is protected every step of the way between your device and our servers.

Minimal Data Collection

We only collect what's necessary to provide our service. We don't sell your data, and we never will.

OAuth Authentication

We use OAuth 2.0 for calendar connections. We never see or store your calendar provider passwords.

Regular Audits

We regularly review our security practices and update our systems to address new threats and vulnerabilities.

Data Portability

Your data belongs to you. You can export or delete your data at any time from your account settings.

Infrastructure

Tilly is built on modern, secure infrastructure:

Cloud hosting with industry-leading security certifications
Automatic backups to protect against data loss
DDoS protection to ensure service availability
Isolated environments to prevent cross-contamination

Responsible Disclosure

We value the security research community. If you discover a security vulnerability, please report it responsibly to security@trytilly.com. We commit to:

Acknowledging your report within 48 hours
Keeping you informed of our progress
Not pursuing legal action against good-faith researchers

Questions?

If you have any questions about our security practices, please reach out to us at security@trytilly.com.

Security at Tilly