What is your security posture?
Quick answer
AES-256 encryption at rest, TLS 1.2+ in transit, role-scoped database access with audit logging, 7-year data retention per 19 CFR Part 163, and broker tenant isolation at the database layer. Under NDA we share penetration-test summaries and subprocessor attestations. Additional certifications disclosed as they become available.
Detailed Answer
Tariffi's security posture is designed for enterprise customs data handling with regulatory retention requirements.
Encryption:
- At rest: AES-256 encryption on all stored data, including ES-003 uploads, CAPE declaration drafts, and audit logs.
- In transit: TLS 1.2+ for all API communications between the web frontend, API gateway, and backend services.
Access control:
- Role-scoped database access. Every database query is scoped to the authenticated user's role and tenant. Broker partners see only their filer code's data. Importers see only their own entries. Admin access is audit-logged.
- Broker tenant isolation. Each broker partner operates in a separate database tenant. Cross-tenant queries are architecturally impossible — enforced via foreign-key constraints and row-level security policies, not just application-level checks.
Data retention:
- 19 CFR Part 163 compliance. All claim data, audit logs, broker-review records, and ES-003 archives are retained for 7 years from the date of the relevant customs entry.
- Year-segmented storage paths. Archived files are organized by year with lifecycle policies that automatically delete data after the retention period expires (5 years + 1 month for cold-storage archives).
- 60-second pre-signed URLs. When users or brokers access stored files, download URLs expire after 60 seconds to minimize exposure window.
Under NDA we provide:
- Third-party penetration-test summary
- Subprocessor attestation list
- Infrastructure architecture diagram
- Incident response runbook outline
- Security questionnaire completion (SIG, CAIQ, or custom)
Certifications: Additional certifications are disclosed as they become available. Our infrastructure runs on Vercel (frontend) and Railway (API + worker services), both of which maintain their own SOC 2 certifications.
Contact enterprise@tariffi.io for the full security documentation package.
Related Questions
How do you handle procurement diligence?
Tariffi provides a complete diligence package under NDA: broker-partnership regulatory evidence (19 CFR Part 111, CBP Rulings HQ H326926 and H350722), FASB ASC 450-30 contingent-recovery memo template, engagement letter redline, security posture documentation (AES-256, TLS 1.2+, 7-year retention), and reference contacts from comparable engagements.
What about client confidentiality?
Each broker partner has an isolated tenant — you see only CAPE filings assigned to your Filer Code. Tenant isolation is enforced at the database layer with role-scoped access and audit logging. No cross-broker visibility, no aggregated client lists, and the partnership agreement bars Tariffi from soliciting your clients for customs brokerage services.
What's different about enterprise pricing?
Enterprise importers ($5M+ duty paid) receive custom-priced contingency below the standard 10/15/25% tiers, a co-advisory engagement structure that accommodates existing tax or trade counsel, and a dedicated underwriter. Volume-based fee negotiation starts at the first conversation. Contact enterprise@tariffi.io.
Do you work with Big 4 advisors?
Yes. Tariffi's enterprise engagement structure accommodates co-advisory arrangements where your existing Big 4 tax or trade team owns the workpaper review. A licensed customs broker partner transmits to CBP under their own license per 19 CFR Part 111. The engagement letter accommodates a side arrangement with your advisor.
Need help?
Upload your ES-003 to see how much you could recover, or talk to our team.