> ## Documentation Index
> Fetch the complete documentation index at: https://docs.thetinybell.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security at TinyBell

> How TinyBell protects your hotel website and visitor data.

## Our commitment

TinyBell processes visitor interaction data on behalf of hotels. We take this responsibility seriously. Every component of our platform, from the pixel script to the dashboard, is built with security as a core requirement.

## EU Cyber Resilience Act (CRA)

TinyBell is classified as a **Product with Digital Elements** under the EU Cyber Resilience Act (Regulation EU 2024/2847). We comply with the CRA requirements for products in the **default risk category**, including:

* Security by design and by default
* Continuous vulnerability management
* Incident reporting to ENISA/INCIBE within required timeframes
* Maintaining a Software Bill of Materials (SBOM)
* Providing security updates during the support period

## Security by design

* **HTTPS only**: All data transmission between the pixel, visitor browsers, and our servers uses TLS 1.2+
* **Minimal data collection**: The pixel collects only what is needed (page URL, device type, browser language, country). No personal identifiers are stored
* **Input sanitization**: All user inputs are sanitized via HTMLPurifier before storage
* **CSP headers**: Content Security Policy headers protect against XSS attacks
* **Rate limiting**: API endpoints are rate-limited to prevent abuse

## Security by default

* Passwords require minimum complexity
* Two-factor authentication is available for all accounts
* Sessions expire after inactivity
* Cookie consent is granular (necessary, analytics, targeting)
* Branding and tracking respect user consent preferences

## Infrastructure

* **Cloudflare**: All traffic to thetinybell.com is proxied through Cloudflare, which provides DNS, DDoS protection, TLS termination, Web Application Firewall (WAF), and CDN caching. Cloudflare operates globally with data centers in the EU and worldwide
* Hosted on dedicated servers within the EU
* Database connections are encrypted
* File uploads are validated and sanitized (SVG sanitizer, image type verification)
* Cache files are isolated per account
* Regular automated backups

## Vulnerability disclosure

We welcome responsible disclosure of security vulnerabilities. See our [Vulnerability Disclosure Policy](/security/vulnerability-disclosure) for details on how to report issues.

## Contact

For security-related inquiries: **[info@thetinybell.com](mailto:info@thetinybell.com)**

Subject line: `[SECURITY]` followed by a brief description.
