Security at Tixallo

All traffic to Tixallo is encrypted in transit using TLS. Data at rest in our managed database and object storage is encrypted using the underlying provider's at-rest encryption.

Email + password sign-in with a 2FA option (TOTP). Magic-link sign-in for the customer portal. Social sign-in via OAuth where offered.

We don't currently offer SAML SSO or SCIM provisioning. If that's required for your team, get in touch and we'll be upfront about timelines before you commit.

Role-based access (Owner, Admin, Agent, Light agent) plus per-team scoping for shared inboxes and saved views. Sensitive actions (role changes, integration tokens, exports) generate audit-log entries.

We log lifecycle changes (owner change, status change), role changes, automation edits and integration token rotations. Logs are visible to admins and retained for a rolling window.

Inbound email and chat messages run through a classifier that flags spam and phishing patterns before they reach the agent inbox.

Daily backups of workspace data with point-in-time recovery available within a rolling retention window. We test recovery procedures.

Workspace data is hosted on managed cloud infrastructure. The full sub-processor list is maintained on the data processing page and updated when it changes.

We are not currently SOC 2, ISO 27001 or HIPAA certified, and we are not a HIPAA business associate. We don't currently sign BAAs.

If your procurement process requires any of those, please tell us early — we'd rather be a poor fit for the right reason than pretend otherwise.

If you believe you've found a security issue, please contact us via the contact page with details. We aim to triage reports within two business days and will keep you informed as we investigate. Please don't run automated scans against production.