Trust at Talvo

This page is maintained by Talvo. It describes controls that are enabled today in the platform. It is not an independent certification.

Ballot secrecy is architectural

  • Ballots live in an isolated ballots database schema with zero grants to the app's user roles. They are written and read only by a small set of server-side functions running with a service role.
  • Voter tokens are 128-bit random values, stored only as SHA-256 hashes. A ballot page opened by GET never consumes a token — consumption happens only when the ballot is submitted.
  • Ballots carry no IP address and no precise timestamp. The submission time is coarsened to the hour before storage.
  • No third-party scripts, analytics, or trackers load on ballot pages. A strict Content-Security-Policy and frame-ancestors 'none'header are enforced.

Verifiable counting

Every election records a config snapshot and content hash the moment it opens. That hash appears in the results view — anyone with a copy of the snapshot can confirm the config wasn't altered.

Our counting code (FPTP, AV, Scottish STV with Droop quota and truncated fractional transfers) is deterministic and open. Every count publishes a BLT (Ballot List Text) export in the standard OpenSTV/ERS format so an observer can re-run the count in independent software and reproduce the outcome.

Where your data lives

Application and database services run in the United Kingdom. Email delivery goes through Resend; static assets are served from Cloudflare's global edge — content-only, no personal data at rest at the edge.

Subprocessors

SubprocessorPurposeRegion
SupabaseDatabase and authenticationUnited Kingdom / EU
Cloudflare (via Lovable)Edge hosting, static assetsGlobal edge
ResendTransactional email deliveryEU
StripeCredit purchasesEU / UK
SentryError diagnostics (no ballot data)EU

Staff access is logged

When Talvo staff access an organisation's console for support, every action is written to that organisation's audit log with the staff member's identity. Audit rows use hash chaining so any deletion or reordering is detectable.

Security reporting & status

Report a suspected vulnerability using our security.txt. Live status: status.talvo.vote.