Skip to content
Trust center

Earning trust with every request.

TempoDocs is built for teams that handle sensitive plans, contracts, and roadmaps. Here's a plain-English summary of how we protect your data — and where we still have work to do.

Encryption

All customer data is encrypted at rest with AES-256 and in transit with TLS 1.3. Document storage uses server-side encryption; backups inherit the same controls.

Access control

Row-level security in the database enforces workspace isolation on every read and write. Roles (org_admin, member, super_admin) are stored in a dedicated table and checked via security-definer functions.

Infrastructure

Application runs on Cloudflare's global edge network. Primary data store is a managed Postgres cluster in the EU with point-in-time recovery and daily backups.

Logging & monitoring

Application errors are captured and triaged. A public health endpoint (/api/public/health) feeds uptime monitors. Per-request access logs are retained 30 days.

Sub-processors

We use a short, audited list of sub-processors for hosting, database, transactional email, and AI inference. The full list and notice-of-change policy is in the DPA.

Compliance posture

GDPR & CCPA ready. SOC 2 Type II audit in progress (report available under NDA). HIPAA is not currently supported — don't upload PHI.

AI processing

Document text is sent to our AI provider only to extract tasks. Inputs and outputs are not used to train third-party models. Extracted text is stored in your workspace and deleted when the document is deleted.

Data residency

EU data residency available on Business and Enterprise plans. Customer storage and database traffic stay within the EU for those workspaces.

Incident response

Security incidents trigger an on-call rotation. Customers materially affected by a confirmed incident are notified without undue delay, consistent with our DPA commitments.

Responsible disclosure

Report vulnerabilities to security@tempodocs.com. We acknowledge within one business day and credit researchers who follow safe-harbor disclosure.

Things we don't claim

We don't claim certifications we haven't earned. SOC 2 Type II is in progress, not complete. We don't support HIPAA. We don't run customer-hosted deployments. If a security questionnaire asks something we can't honestly answer "yes" to, we'll tell you.

SOC 2 Type II (in progress) GDPR & CCPA ready EU data residency availableAES-256 at rest · TLS 1.3 in transit