Tap Links — Security Overview

Operator: Mace Design LLC (a New York limited liability company) d/b/a “Tap Links”
Effective date: 2026-05-13 · Version: 2.0

Summary

• All dashboard access is by magic-link sign-in. We do not store passwords.
• AES-128 cryptographic locking on NFC devices by default, with a key architecture designed to limit blast radius if any single component is compromised.
• TLS in transit on every endpoint; encryption at rest, provider-managed.

This summary is informational and subject to change. In a conflict between this summary and the formal text below, the formal text controls.

Tap Links operates a cloud service plus NFC hardware manufactured in Brooklyn, NY. This page describes the high-level security posture of the Service. More detailed documentation, including responses to standard security questionnaires, is available to enterprise prospects under NDA — see § 6.

1. Posture

Tap Links runs on hosted cloud infrastructure operated by a major provider (see Sub-processors for the vendor list). All endpoints are TLS-encrypted; no unencrypted production traffic. Storage is encrypted at rest by the provider.

2. Authentication

• No passwords. Tap Links uses magic-link sign-in: a single-use, time-limited URL emailed to the user.
• Session cookies are HttpOnly, Secure, and SameSite=Strict.
• Anti-prefetch protection. Sign-in uses a two-step confirmation pattern designed to defeat automated email-scanning by corporate gateways (which would otherwise burn a magic link before the human clicks).
• Rate limiting applies to authentication endpoints to slow brute-force attempts.

3. Cryptographic locking on devices

Tap Links NFC devices ship AES-128 cryptographically locked by default.

• Each device is locked with its own unique key. There is no shared master key across the fleet.
• Keys are managed so that the Tap Links customer-facing application has no runtime access to them.
• Customers may opt out of Tap Links locking under their Order if they prefer to ship devices unlocked or to manage their own cryptographic posture.
• Customers may request key destruction when a Tap Links–locked device is destroyed or scrapped. Once destroyed, the device cannot be unlocked or re-locked.

Specific operational details of key storage, rotation, and access are not publicly disclosed. Customer security teams may request additional detail under NDA.

4. Incident response

If we discover a confirmed security incident affecting customer Personal Information, we will notify affected customers and, where required, regulators or affected individuals, consistent with applicable breach-notification laws (including New York General Business Law § 899-aa and California Civil Code § 1798.82).

For active incidents, we communicate directly with each affected customer’s primary contact.

5. Responsible disclosure

We welcome reports from security researchers.

• Email: hello@taplinks.com, subject line “Security report”
• What to include: affected URL or component, reproduction steps, your contact information, any preferred disclosure timeline.

What we ask: - Allow reasonable time for investigation and remediation before public disclosure (we suggest 90 days). - Do not access, modify, or delete data that is not your own. - Do not run automated denial-of-service or destructive tests. - Do not phish or social-engineer Tap Links personnel or customers.

What we do: - Acknowledge receipt within 72 hours. - Keep you informed of progress. - Credit you (with your permission) in any public acknowledgment once the issue is resolved.

We do not currently run a paid bug-bounty program.

6. Detailed security documentation

For enterprise prospects with an active engagement, we can:

• Complete standard security questionnaires (e.g., SIG-Lite, CAIQ-Lite).
• Share architectural detail beyond what is on this page under a mutual NDA.

Contact hello@taplinks.com to begin.

7. Contact

hello@taplinks.com for all security questions, vulnerability disclosures, and inquiries.