Security practices
Encryption in transit
All traffic to FollowTo is served over HTTPS with modern TLS. Session cookies use secure, HTTP-only flags.
Hosted infrastructure
Application and database workloads run on managed cloud infrastructure (Vercel, Turso/libSQL) with provider-level physical and network controls.
Access controls
Organizer dashboards require authentication. Community and event data is scoped to the owning account. Deletion requires password or email verification.
Deletion accountability
Enterprise organizers receive a deletion audit log with hashed receipts for account erasure, community deletion, and automated attendee retention purges.
Documented subprocessors
We maintain a subprocessor list in our Privacy Policy (Turso, Resend, Paddle, PayU). Enterprise customers are notified of material changes.
Compliance readiness
Status reflects our current posture and roadmap. Enterprise customers may request detailed control summaries and deletion audit exports.
SOC 2 Type II
FollowTo follows SOC 2-aligned controls for security, availability, and confidentiality. Formal Type II attestation is on our Enterprise roadmap; documentation is available on request.
ISO 27001
We apply ISO 27001-style risk management, access control, and incident response practices. Certification is planned as part of our Enterprise compliance program.
GDPR / DPDP / CCPA
Self-service export, instant erasure, inactive-account notice, organizer cascade delete, and Enterprise DPA template are live today.