Security & Compliance

Our Commitment

At Tarifix, we understand that your product catalog, supplier relationships, and tariff exposure data are competitively sensitive. We've built our platform with security and privacy as foundational requirements, not afterthoughts.

Data Security

Encryption

At Rest: All customer data is encrypted using AES-256 encryption. Database volumes, backups, and file storage are all encrypted with keys managed through AWS KMS.

In Transit: All data transmitted between your systems and Tarifix uses TLS 1.3. We enforce HTTPS across all endpoints and reject unencrypted connections.

Infrastructure

Tarifix runs on AWS infrastructure in the US-East region. We leverage AWS's security controls including:

• VPC isolation with private subnets for database and application layers
• Security groups restricting network access to only required services
• Web Application Firewall (WAF) to protect against common exploits
• DDoS protection via AWS Shield
• Automated security patching and vulnerability scanning

Access Controls

We implement least-privilege access across our systems:

• Multi-factor authentication (MFA) required for all employee accounts
• Role-based access control (RBAC) limiting data access to only necessary personnel
• All production access logged and audited
• No standing access to production databases — time-limited, approved access only

Data Privacy

We Never Share Your Data

Your product catalog, supplier information, and tariff exposure data belong to you. We:

• Never sell customer data to third parties
• Never share your catalog with competitors or aggregators
• Never use your data to train models for other customers

Data Retention

You control your data:

• Export your complete dataset at any time via CSV or API
• Delete your account and data through the dashboard (Settings → Data & Privacy)
• Upon account deletion, we remove all customer data within 30 days (except what we're legally required to retain for compliance)

Third-Party Services

We use a minimal set of third-party services, all of which are bound by data processing agreements:

• AWS: Infrastructure hosting (SOC 2, ISO 27001 certified)
• Anthropic: LLM classification engine (product descriptions only, no financial data)
• Stripe: Payment processing (PCI DSS compliant)

Compliance

U.S. Data Residency

All customer data is stored in AWS US-East region and never leaves the United States. We do not transfer data to international jurisdictions.

GDPR & Privacy

While Tarifix primarily serves U.S.-based companies, we respect privacy rights for all users. You can:

• Request a copy of your data
• Request deletion of your data
• Opt out of marketing communications

Tariff Classification Standards

Our HTS classification engine is trained on publicly available CBP rulings and the official Harmonized Tariff Schedule. We update our tariff database daily from USITC sources.

Incident Response

In the unlikely event of a security incident:

• We will notify affected customers within 72 hours
• Provide clear information about what data was affected
• Share our remediation plan and timeline
• Offer assistance with any required notifications to regulatory bodies

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue:

• Email us at security@tarifix.com
• Provide details of the vulnerability (without publicly disclosing)
• We will acknowledge receipt within 24 hours
• We will provide a remediation timeline within 5 business days

Questions?

For security questions or to request our security documentation (for vendor assessments), contact security@tarifix.com.

For privacy questions or to exercise data rights, contact privacy@tarifix.com.