Our commitment
TinyBell processes visitor interaction data on behalf of hotels. We take this responsibility seriously. Every component of our platform, from the pixel script to the dashboard, is built with security as a core requirement.EU Cyber Resilience Act (CRA)
TinyBell is classified as a Product with Digital Elements under the EU Cyber Resilience Act (Regulation EU 2024/2847). We comply with the CRA requirements for products in the default risk category, including:- Security by design and by default
- Continuous vulnerability management
- Incident reporting to ENISA/INCIBE within required timeframes
- Maintaining a Software Bill of Materials (SBOM)
- Providing security updates during the support period
Security by design
- HTTPS only: All data transmission between the pixel, visitor browsers, and our servers uses TLS 1.2+
- Minimal data collection: The pixel collects only what is needed (page URL, device type, browser language, country). No personal identifiers are stored
- Input sanitization: All user inputs are sanitized via HTMLPurifier before storage
- CSP headers: Content Security Policy headers protect against XSS attacks
- Rate limiting: API endpoints are rate-limited to prevent abuse
Security by default
- Passwords require minimum complexity
- Two-factor authentication is available for all accounts
- Sessions expire after inactivity
- Cookie consent is granular (necessary, analytics, targeting)
- Branding and tracking respect user consent preferences
Infrastructure
- Hosted on dedicated servers within the EU
- Database connections are encrypted
- File uploads are validated and sanitized (SVG sanitizer, image type verification)
- Cache files are isolated per account
- Regular automated backups
Vulnerability disclosure
We welcome responsible disclosure of security vulnerabilities. See our Vulnerability Disclosure Policy for details on how to report issues.Contact
For security-related inquiries: info@thetinybell.com Subject line:[SECURITY] followed by a brief description.