Tiny IDP
← Trust & Compliance Center

Technical Overview

Last updated: February 4, 2026

This document provides a comprehensive technical overview of Tiny IDP's infrastructure, data processing lifecycle, security measures, and compliance framework.

For policy details, see our Privacy Policy. For legal terms, see our Terms of Service.

Request Lifecycle & Data Flow

The following diagram illustrates the complete lifecycle of a document processing request, from client submission to response delivery.

Client Request

HTTPS request received (TLS 1.3 encryption)

Google Cloud Platform (GCP) - Madrid, Spain

Reception in GCP Madrid

europe-southwest1 region

Temporary Encrypted Storage

Encrypted storage bucket (5-15 seconds, AES-256, no public access)

OCR Processing

Google Cloud Vision AI

AI Model Processing

Google Vertex AI (no training on customer data)

Data Processing

In-memory processing

Permanent Deletion

Permanent deletion from storage (unrecoverable)

Technical Logging

Metadata only (request ID, timestamp, status code) → No PII or content

Response to Client

JSON response via HTTPS

Security Architecture

Encryption Standards

In Transit

TLS 1.3 encryption for all API communications with Perfect Forward Secrecy (PFS).

At Rest

AES-256 encryption for temporary storage (5-15 seconds). Google-managed encryption keys with automatic rotation. No public access.

Secret Management

API keys, service account credentials, and sensitive configuration stored in Google Cloud Secret Manager with encryption at rest, IAM access controls, and audit logging.

Technical Logging

Technical logs contain only operational metadata (retained for 12 months):

  • Request ID and timestamp
  • HTTP status code
  • Error type and stack trace (no content)

Logs never contain personal data, content, or any identifiable information.

Multi-Tenant Isolation

Tiny IDP implements strict architectural safeguards to ensure complete data isolation between customers:

1. API Key Authentication

Unique API keys cryptographically validated on every request. Keys cannot access data from other accounts.

2. Isolated Storage Paths

Each request uses unique, randomly-generated storage paths with customer-specific prefixes. IAM policies prevent cross-customer access.

3. Request-Level Isolation

Processing in ephemeral, stateless Cloud Run containers. Each request processed independently with no shared state.

4. Database Segregation

Account data stored with customer IDs as partition keys. All queries scoped to authenticated customer.

Data Residency & Zero Retention Policy

Data Residency

  • → All infrastructure in europe-southwest1 (Madrid, Spain)
  • → No cross-region replication
  • → No backups outside the EU
  • → No international data transfers

Data Retention

  • → Documents deleted within 5-15 seconds
  • → Permanent deletion (unrecoverable)
  • → No backups of document data
  • → No archival storage
  • → No data used for AI training

Risk Mitigation Framework

The following table summarizes key privacy and security risks along with implemented mitigation measures:

Identified RiskMitigation Measure
Unauthorized third-party accessEnd-to-end encryption and authentication via unique API keys.
Data use for unintended purposesBinding DPA that prohibits data use outside requested extraction.
Sensitive data persistenceEphemeral architecture: data is deleted within seconds of response.
International data transfers100% processing within Spain (Madrid region, EU).

Contact

Data Protection Officer

Albert Vazquez Mendez

privacy@tiny-idp.com

Security & Compliance

For security vulnerability reports, compliance questions, or audit requests

privacy@tiny-idp.com

General Support

hello@tiny-idp.com