How TagEasy handles your data
We tell customers their tracking should be transparent. Same standard applies to us. Everything we encrypt, every subprocessor we use, and everything we still owe you is on this page.
Encrypted end to end
HTTPS-only across every public surface (sites, APIs, OAuth callbacks). Postgres is encrypted at rest by Neon; backups are encrypted. Passwords are hashed with bcrypt at cost factor 12 — never stored or logged in plaintext.
Minimal data collection
We store the domain you audit, the tracking signatures we detect, your GTM / GA4 configuration, and the dataLayer events your site fires. We don't collect end-user personally identifying data, and our PII-in-URL audit check exists specifically to flag when our customers' tracking does.
GDPR-aware by design
Our generated tracking code supports Consent Mode v2 out of the box. The container audit explicitly flags ad tags firing without consent. We'll sign a DPA — email privacy@hexcorp.io.
No session replay on our own app
We don't record your interactions inside the TagEasy dashboard. Aggregate counts only — no Hotjar / FullStory / LogRocket on our app or marketing pages.
Subprocessors
Third parties that touch customer data on our behalf. We'll update this list before adding anyone new.
| Vendor | Purpose | Region | DPA |
|---|---|---|---|
| Vercel | Web hosting + edge functions | US (Global edge cache) | Open ↗ |
| Neon | Postgres database | US-East | Open ↗ |
| Resend | Transactional email | US | Open ↗ |
| Anthropic | AI co-pilot + commentary (Claude Haiku) | US | Open ↗ |
| Stripe | Billing + payment processing | US (global card network) | Open ↗ |
| OAuth (sign-in) + Tag Manager / GA4 API access | Per Google | Open ↗ |
What we still owe you
We'd rather say where the gaps are than pretend they aren't there:
- SOC 2 Type II — not yet certified. On the roadmap once we have ~50 paying customers; the controls (access logging, change management, security review) are in place today.
- EU data residency — production runs in US-East (Vercel + Neon). For EU customers needing data-residency, we can run a dedicated deployment under contract. Email sales@hexcorp.io.
- Third-party penetration test — internal review is current; external test scheduled for the next quarter we close 10+ enterprise contracts.
- Error monitoring — Sentry is wired but DSN currently unconfigured in prod. Closing this is a known launch-readiness item.
Found a vulnerability?
Email security@hexcorp.io with the details — encrypted if you can. We acknowledge within one business day and won't threaten legal action against good-faith research. There's no formal bounty program yet but we credit researchers publicly with permission.
Need a custom DPA or security questionnaire?
Send your procurement form to sales@hexcorp.io; we typically turn them around within two business days.