TUNDRÄ
Login Start for free

Legal

Security overview

TUNDRÄ applies proportionate safeguards for ordinary website-project data. The standard portal is not designed for payment-card data, secrets or large volumes of regulated personal data.

Effective July 12, 2026 · Version 2026-07-12

Legal documents
Terms of serviceService scopeBilling & subscriptionsCancellation & refundsAcceptable usePrivacy noticeCookie noticeData processing addendumSeller informationSubprocessorsSecurity

1. Current safeguards

  • Encryption in transit is used for production website and account traffic.
  • Passwords and authentication credentials are protected using one-way cryptographic controls.
  • Access to Customer records is restricted by account, organisation and role.
  • Reasonable controls are applied to authentication attempts, sessions and uploaded files.
  • Material account and service activity may be logged for security, support and accountability.
  • Personnel access is limited according to operational need and confidentiality obligations.
  • Complete payment-card data is handled by Lava.top and is not stored in the TUNDRÄ portal.

2. Data minimisation

The most effective control is not collecting unnecessary data. Customers should provide redacted screenshots, synthetic test users and the smallest data sample needed. Do not upload passwords, private keys, seed phrases, complete card data, government identifiers, health information, children’s data or full production databases under the standard Service.

3. Credentials and access

Credentials should be shared through a Customer-approved password manager or time-limited platform invitation, not task comments or email. Customers should grant least privilege, enable multi-factor authentication where available, review access regularly and revoke it after completion. We may refuse access that is shared insecurely.

4. Production and recovery

Before material production changes, the Customer must maintain a recoverable source and data backup or authorise a task-specific backup. TUNDRÄ operational copies are not a substitute for the Customer’s business-continuity plan. Deployment, rollback, retention and recovery requirements beyond reasonable standard precautions must be stated in an Order Form.

5. Personnel and providers

Access is limited to personnel who need it for delivery or support and who are subject to confidentiality duties. Infrastructure, email, payment, analytics and notification providers are listed on the Subprocessor List. We review access when roles change and may log administrative actions.

6. Incident response

We investigate suspected unauthorised access, contain affected systems, preserve relevant evidence, assess scope, restore safe service and notify affected Customers or authorities where required. Under a DPA, we notify the Customer without undue delay after becoming aware of a confirmed Personal Data Breach involving Customer Personal Data and provide information reasonably available at the time.

7. Reporting a vulnerability or incident

Email support@tundraa.dev with “Security report” in the subject. Include the affected URL or account, timestamps, steps to reproduce and potential impact. Do not access other users’ data, disrupt service, use social engineering, demand payment, or publicly disclose an unresolved issue. Do not attach active malware or secrets.

8. No certification claim

This overview is not a warranty of absolute security or a claim of independent certification. Customers needing specific data residency, audit, dedicated infrastructure or contractual recovery objectives must agree them before transferring relevant data.

TUNDRÄ © 2026
Terms Privacy Security Cookies Refunds Legal notice