Trust at Talvo
This page is maintained by Talvo. It describes controls that are enabled today in the platform. It is not an independent certification.
Ballot secrecy is architectural
- Ballots live in an isolated
ballotsdatabase schema with zero grants to the app's user roles. They are written and read only by a small set of server-side functions running with a service role. - Voter tokens are 128-bit random values, stored only as SHA-256 hashes. A ballot page opened by GET never consumes a token — consumption happens only when the ballot is submitted.
- Ballots carry no IP address and no precise timestamp. The submission time is coarsened to the hour before storage.
- No third-party scripts, analytics, or trackers load on ballot pages. A strict Content-Security-Policy and
frame-ancestors 'none'header are enforced.
Verifiable counting
Every election records a config snapshot and content hash the moment it opens. That hash appears in the results view — anyone with a copy of the snapshot can confirm the config wasn't altered.
Our counting code (FPTP, AV, Scottish STV with Droop quota and truncated fractional transfers) is deterministic and open. Every count publishes a BLT (Ballot List Text) export in the standard OpenSTV/ERS format so an observer can re-run the count in independent software and reproduce the outcome.
Where your data lives
Application and database services run in the United Kingdom. Email delivery goes through Resend; static assets are served from Cloudflare's global edge — content-only, no personal data at rest at the edge.
Subprocessors
| Subprocessor | Purpose | Region |
|---|---|---|
| Supabase | Database and authentication | United Kingdom / EU |
| Cloudflare (via Lovable) | Edge hosting, static assets | Global edge |
| Resend | Transactional email delivery | EU |
| Stripe | Credit purchases | EU / UK |
| Sentry | Error diagnostics (no ballot data) | EU |
Staff access is logged
When Talvo staff access an organisation's console for support, every action is written to that organisation's audit log with the staff member's identity. Audit rows use hash chaining so any deletion or reordering is detectable.
Security reporting & status
Report a suspected vulnerability using our security.txt. Live status: status.talvo.vote.