Earning trust with every request.
TempoDocs is built for teams that handle sensitive plans, contracts, and roadmaps. Here's a plain-English summary of how we protect your data — and where we still have work to do.
Encryption
All customer data is encrypted at rest with AES-256 and in transit with TLS 1.3. Document storage uses server-side encryption; backups inherit the same controls.
Access control
Row-level security in the database enforces workspace isolation on every read and write. Roles (org_admin, member, super_admin) are stored in a dedicated table and checked via security-definer functions.
Infrastructure
Application runs on Cloudflare's global edge network. Primary data store is a managed Postgres cluster in the EU with point-in-time recovery and daily backups.
Logging & monitoring
Application errors are captured and triaged. A public health endpoint (/api/public/health) feeds uptime monitors. Per-request access logs are retained 30 days.
Sub-processors
We use a short, audited list of sub-processors for hosting, database, transactional email, and AI inference. The full list and notice-of-change policy is in the DPA.
Compliance posture
GDPR & CCPA ready. SOC 2 Type II audit in progress (report available under NDA). HIPAA is not currently supported — don't upload PHI.
AI processing
Document text is sent to our AI provider only to extract tasks. Inputs and outputs are not used to train third-party models. Extracted text is stored in your workspace and deleted when the document is deleted.
Data residency
EU data residency available on Business and Enterprise plans. Customer storage and database traffic stay within the EU for those workspaces.
Incident response
Security incidents trigger an on-call rotation. Customers materially affected by a confirmed incident are notified without undue delay, consistent with our DPA commitments.
Responsible disclosure
Report vulnerabilities to security@tempodocs.com. We acknowledge within one business day and credit researchers who follow safe-harbor disclosure.
Things we don't claim
We don't claim certifications we haven't earned. SOC 2 Type II is in progress, not complete. We don't support HIPAA. We don't run customer-hosted deployments. If a security questionnaire asks something we can't honestly answer "yes" to, we'll tell you.