Security
Security & data handling.
How TabNudge connects to Xero, handles your data, works with the AI provider, and meets the rules in NZ and Australia. Plain English. Every claim is true today.
01
How TabNudge connects to Xero
OAuth, scoped access, revocable any time.
- Auth
- OAuth 2.0 with scope limited to invoices and contacts.
- Scopes excluded
- TabNudge does not request bank, payment, or payroll scopes.
- Revocation
- Access can be revoked at any time from your Xero account settings.
- Data deletion
- On revocation, customer data is deleted within 30 days.
02
Data handling
Encrypted in transit and at rest.
- In transit
- All data in transit is encrypted via TLS 1.3.
- At rest
- Customer data at rest is encrypted using AES-256.
- Application infra
- TabNudge runs on Vercel infrastructure.
- Database
- Hosted on Supabase in the Sydney (AU) region.
- Payment data
- Credit card and banking information is never stored.
03
How the AI handles your data
Minimal inputs. Request-scoped. No training.
- Provider
- TabNudge uses OpenAI for generating draft follow-ups.
- Inputs to the AI
- The AI provider sees only the customer reply text, the invoice metadata (number, amount, due date), and the selected tone preference.
- Lifetime
- Customer data passed to the AI is processed for the duration of the request only.
- Training
- Per OpenAI's API terms, data submitted via the API is not used to train OpenAI's models by default.
- More detail
- See /how-the-ai-works for the full breakdown.
04
Compliance
NZ and AU rules covered.
- NZ email rules
- Compliant with the New Zealand Unsolicited Electronic Messages Act 2007 — sending is limited to email addresses on Xero invoices, with clear unsubscribe paths.
- AU email rules
- Compliant with the Australian Spam Act 2003.
- Privacy
- Customer contact data is handled in accordance with the New Zealand Privacy Act 2020 and the Australian Privacy Act 1988.
05
Operational practices
Active development, monitored uptime.
- Development
- Active ongoing development on the product.
- Monitoring
- Production monitoring and alerting on application uptime.
- Status page
- Public status page: status.tabnudge.com
06
Reporting a vulnerability
Disclosures get triaged in one business day.
- support@tabnudge.com with subject "Security disclosure".
- Response
- Initial response within 1 business day.