Trust Center
Security and privacy are foundational to Tamloot
Tamloot is built for professionals who run on conversations — coaches, therapists, consultants, advisors, and the many others whose work depends on what happens in a 1-on-1. Those conversations are deeply personal, so security and privacy aren’t features we added — they shape every layer of the platform and every decision we make about your data.
At a glance
Compliance & certifications
Where we stand today on the standards that matter to the people who trust us with sensitive conversations.
An independent audit of our security controls is underway, with the Type I report expected soon.
A Type II report covering the sustained operation of our controls will follow Type I.
We are building out our information security management system toward ISO 27001 certification.
We follow GDPR data-protection principles and provide a Data Processing Agreement (DPA) on request.
AES-256 at rest and TLS 1.2+ in transit protect your data everywhere it lives or moves.
PostgreSQL Row-Level Security guarantees each user can only ever access their own data.
SOC 2 and ISO 27001 are independent attestations. We will only describe ourselves as “certified” once the relevant report is issued by the auditing firm; until then these reflect work in progress.
How your data is handled
Every piece of data moves through a pipeline designed for confidentiality at every step:
- 1Session recordings are captured via our desktop app, Chrome extension, mobile app, or file upload, transmitted over TLS, and stored encrypted at rest (AES-256) with server-side encryption and versioning.
- 2Transcripts are generated by our speech-to-text provider and stored encrypted in our database.
- 3AI-generated notes (summaries, key themes, action items) are produced via enterprise API access configured so that your data is never used to train AI models.
- 4Data about the people you work with (names, contact details, session history) is stored with Row-Level Security so each user can only access their own data.
Security controls
A selection of the technical and organizational controls that protect Tamloot, grouped by area.
Cryptographic protections
- Encryption at rest (AES-256) on all databases and storage
- Encryption in transit (TLS 1.2+) for all traffic
- Server-side encryption (SSE-S3) on recording storage
- Versioned, access-controlled object storage
Access & authentication
- Role-based, least-privilege access to production systems
- Server-side authorization on all admin actions (fail-closed)
- Quarterly privileged-access reviews
- Multi-factor authentication on administrative consoles
Tenant isolation
- PostgreSQL Row-Level Security on all customer tables
- Verified cross-user isolation testing
- Locked-down privileged database functions
Change management
- Protected main branch with pull-request-gated changes
- Mandatory code review via CODEOWNERS
- Release-tag controls for client distribution
- Infrastructure as code with state locking
Vulnerability & threat management
- Automated dependency scanning (Dependabot)
- Static analysis on every pull request (Semgrep)
- Secret scanning with push protection
- Dynamic application security testing with remediation SLAs
Monitoring & logging
- Append-only audit logging for sensitive actions
- Centralized log retention for incident forensics
- Webhook signature verification (HMAC-SHA256)
- Security and availability alerting
Data handling & privacy
- Documented data classification and retention
- Data export and deletion on request
- Maintained subprocessor inventory and disclosure
- AI processing that excludes your data from model training
Availability & resilience
- Documented backup and restore procedures
- Disaster-recovery runbook and drills
- Capacity and availability monitoring
Vendor management
- Annual review of critical subprocessors
- Data Processing Agreements with subprocessors
- Reliance on subservice providers’ security controls
Governance & risk
- Information security policy pack, reviewed annually
- Risk register with named owners and review dates
- Incident response, DR, and data-subject-request runbooks
Subprocessors
The following vendors process data on our behalf to deliver Tamloot.
We maintain Data Processing Agreements (DPAs) with our subprocessors, and can provide our own DPA to customers on request. Contact us at privacy@tamloot.cc to request one.
| Vendor | Purpose | Data accessed | DPA |
|---|---|---|---|
| Supabase | Database, authentication & storage | All application data (encrypted at rest) | View |
| AWS | Audio storage, compute & logs | Audio files, compute | View |
| Anthropic | AI notes, meeting prep & copilot | Transcripts (not used for model training) | View |
| ElevenLabs | Speech-to-text transcription | Audio recordings | View |
| Vercel | API & web hosting | Data in transit | View |
| Recall.ai | Desktop session recording | Session audio/video | View |
| Hookdeck | Webhook routing | Webhook payloads (in transit) | View |
| Cloudflare | DNS, CDN & edge | Traffic metadata | View |
| Authentication & calendar | OAuth tokens, calendar events | View | |
| Sentry | Error monitoring | Diagnostics (PII-minimized) | View |
| PostHog | Product analytics | Usage events (content masked) | View |
| Lemon Squeezy | Payments | Billing metadata, email | View |
| Resend | Transactional email | Email addresses & content | View |
Additional channels (such as Telegram or WhatsApp) only process data for users who explicitly connect them. Content you export to your own destinations (e.g. Google Docs) becomes a copy you control.
Documentation & resources
Security documentation is available to customers and prospects on request. Reach out and we’ll share what you need.
Data retention
- Account data
- Retained while your account is active and for 30 days after deletion for recovery.
- People you work with & session data
- Retained until you delete it or close your account.
- Session recordings
- Retained according to your account settings or until you delete them.
- Usage logs
- Retained for up to 12 months for security and analytics.
- Audit logs
- Retained on an append-only basis to support security investigations.
For complete details, see our Privacy Policy.
Incident response
We maintain a documented incident response process and breach notification procedure. In the event of a security incident affecting your data:
- We will notify affected customers without undue delay once an incident is confirmed.
- Our notification will describe the nature of the incident, the types of information involved, the steps we are taking, and recommendations for affected individuals.
To report a security concern or potential vulnerability, contact us at security@tamloot.cc.
Questions, a DPA, or our security documentation?
Have questions about our security posture, how we handle data, or how we protect the people you work with? Need a Data Processing Agreement or our security documentation? We’re here to help.