Security & Compliance

Security Certifications & Third-Party Assessments

Our commitment to security is validated by industry-leading certifications and independent audits.

SOC 2 Type II

Verified

Annual SOC 2 Type II audit certifies our security, availability, and confidentiality controls meet rigorous industry standards.

Last audit: December 15, 2025

View Report

Annual Penetration Testing

Verified

Independent security experts conduct comprehensive penetration testing annually to identify and remediate vulnerabilities.

Last audit: January 10, 2026

ISO 27001 Ready

In Progress

Our information security management system follows ISO 27001 best practices, with certification in progress.

Last audit: November 1, 2025

Third-Party Security Assessments

Verified

Regular security assessments by independent firms validate our security posture and compliance.

Last audit: October 20, 2025

View Full Trust Center

Infrastructure Security

Hosting

All customer data is hosted on Supabase infrastructure running on AWS data centers within the European Union. We ensure data residency compliance with EU data protection regulations.

Provider: Supabase (AWS)

Regions: EU (Frankfurt), EU (Ireland)

SOC 2 Type II

ISO 27001

GDPR Compliant

Encryption

All data is encrypted at rest using AES-256 encryption. Data in transit is protected using TLS 1.3 with perfect forward secrecy.

At Rest: AES-256

In Transit: TLS 1.3

Network Security

Our infrastructure implements multiple layers of network security to protect against threats and unauthorized access.

DDoS protection via AWS Shield
Web Application Firewall (WAF)
Network isolation and VPC segmentation
Intrusion detection and prevention systems

Backups

Automated backups run continuously with point-in-time recovery capability. Backups are encrypted and stored in geographically separate locations.

Frequency: Continuous with point-in-time recovery

Retention: 30 days

Third-Party Subprocessors

Service	Purpose	Location	Security
Supabase	Database, Authentication, Storage	EU	Security
Vercel	Application Hosting, CDN	Global	Security
Stripe	Payment Processing	Global	Security
Anthropic	AI Processing (Claude API)	US	Security
Resend	Transactional Email	US	Security

Last updated: January 26, 2026

Data Handling & Retention

We handle your data with care and transparency. Your data is never used to train AI models.

Your data is NEVER used to train AI models

We have zero-data-retention agreements with all AI providers. Your prompts and data are deleted immediately after processing.

Data Lifecycle

Collection

We collect only the minimum data necessary to provide our service.

Storage

Data is encrypted at rest and stored in EU data centers.

Processing

Data is processed according to GDPR and your consent preferences.

Deletion

Data is permanently deleted according to retention policies.

Data Categories

Privacy Mode

Enhanced privacy controls for sensitive financial data.

Zero AI Training

Your financial data is never used to train or improve AI models. We have contractual guarantees with all AI providers.

Data Minimization

We collect and process only the minimum data necessary to provide our service.

User Control

You have complete control over what data is shared and can delete your data at any time.

Data Flow

User Input

You provide a financial query or document.

Processing

AI processes your request with zero-retention policy.

Response

You receive AI-generated insights.

Deletion

All prompts are deleted within 24 hours.

AI Providers

Anthropic (Claude)

Zero retention: Yes

Location: US

View security details

Account Deletion & GDPR Rights

You have the right to delete your data at any time.

Deletion Process

Immediate

0-24 hours

Account access is immediately revoked. User data is marked for deletion.

Processing

24-72 hours

All user data is permanently deleted from production databases and backups. Deletion logs are generated for audit.

Complete

72 hours

All user data is irrecoverably deleted. Only anonymized usage statistics (no PII) are retained for compliance.

Legal Retention Requirements

Some financial records must be retained for 7 years for tax and accounting compliance. These records are encrypted and isolated from operational systems.

Data Export

Before deleting your account, you can export all your data in JSON format.

To delete your account, go to Settings > Account > Delete Account. You will be guided through the deletion process.

Go to Account Settings

Vulnerability Disclosure Policy

We welcome responsible disclosure of security vulnerabilities.

Report Security Issues

Please report security vulnerabilities to our security team:

security@tabba.io

Or email directly: security@tabba.io

In Scope

Report These

Authentication bypass or privilege escalation
SQL injection, XSS, or other injection attacks
Server-side request forgery (SSRF)
Sensitive data exposure
Access control issues

Out of Scope

Don't Report

Social engineering attacks
Physical attacks against Tabba infrastructure
Denial of service (DoS/DDoS)
Spam or social media account takeovers
Issues in third-party dependencies (report to maintainers)

Response Timeline

Acknowledgment: 48 hours
Initial Response: 5 business days
Resolution: 90 days (varies by severity)

Please give us reasonable time to fix vulnerabilities before public disclosure. We commit to acknowledging reports within 48 hours and providing regular updates.

Security Certifications & Third-Party Assessments

Our commitment to security is validated by industry-leading certifications and independent audits.

SOC 2 Type II

Verified

Annual SOC 2 Type II audit certifies our security, availability, and confidentiality controls meet rigorous industry standards.

Last audit: December 15, 2025

View Report

Annual Penetration Testing

Verified

Independent security experts conduct comprehensive penetration testing annually to identify and remediate vulnerabilities.

Last audit: January 10, 2026

ISO 27001 Ready

In Progress

Our information security management system follows ISO 27001 best practices, with certification in progress.

Last audit: November 1, 2025

Third-Party Security Assessments

Verified

Regular security assessments by independent firms validate our security posture and compliance.

Last audit: October 20, 2025

View Full Trust Center

Infrastructure Security

Hosting

All customer data is hosted on Supabase infrastructure running on AWS data centers within the European Union. We ensure data residency compliance with EU data protection regulations.

Provider: Supabase (AWS)

Regions: EU (Frankfurt), EU (Ireland)

SOC 2 Type II

ISO 27001

GDPR Compliant

Encryption

All data is encrypted at rest using AES-256 encryption. Data in transit is protected using TLS 1.3 with perfect forward secrecy.

At Rest: AES-256

In Transit: TLS 1.3

Network Security

Our infrastructure implements multiple layers of network security to protect against threats and unauthorized access.

DDoS protection via AWS Shield
Web Application Firewall (WAF)
Network isolation and VPC segmentation
Intrusion detection and prevention systems

Backups

Automated backups run continuously with point-in-time recovery capability. Backups are encrypted and stored in geographically separate locations.

Frequency: Continuous with point-in-time recovery

Retention: 30 days

Third-Party Subprocessors

Service	Purpose	Location	Security
Supabase	Database, Authentication, Storage	EU	Security
Vercel	Application Hosting, CDN	Global	Security
Stripe	Payment Processing	Global	Security
Anthropic	AI Processing (Claude API)	US	Security
Resend	Transactional Email	US	Security

Last updated: January 26, 2026

Data Handling & Retention

We handle your data with care and transparency. Your data is never used to train AI models.

Your data is NEVER used to train AI models

We have zero-data-retention agreements with all AI providers. Your prompts and data are deleted immediately after processing.

Data Lifecycle

Collection

We collect only the minimum data necessary to provide our service.

Storage

Data is encrypted at rest and stored in EU data centers.

Processing

Data is processed according to GDPR and your consent preferences.

Deletion

Data is permanently deleted according to retention policies.

Data Categories

Privacy Mode

Enhanced privacy controls for sensitive financial data.

Zero AI Training

Your financial data is never used to train or improve AI models. We have contractual guarantees with all AI providers.

Data Minimization

We collect and process only the minimum data necessary to provide our service.

User Control

You have complete control over what data is shared and can delete your data at any time.

Data Flow

User Input

You provide a financial query or document.

Processing

AI processes your request with zero-retention policy.

Response

You receive AI-generated insights.

Deletion

All prompts are deleted within 24 hours.

AI Providers

Anthropic (Claude)

Zero retention: Yes

Location: US

View security details

Account Deletion & GDPR Rights

You have the right to delete your data at any time.

Deletion Process

Immediate

0-24 hours

Account access is immediately revoked. User data is marked for deletion.

Processing

24-72 hours

All user data is permanently deleted from production databases and backups. Deletion logs are generated for audit.

Complete

72 hours

All user data is irrecoverably deleted. Only anonymized usage statistics (no PII) are retained for compliance.

Legal Retention Requirements

Some financial records must be retained for 7 years for tax and accounting compliance. These records are encrypted and isolated from operational systems.

Data Export

Before deleting your account, you can export all your data in JSON format.

To delete your account, go to Settings > Account > Delete Account. You will be guided through the deletion process.

Go to Account Settings

Vulnerability Disclosure Policy

We welcome responsible disclosure of security vulnerabilities.

Report Security Issues

Please report security vulnerabilities to our security team:

security@tabba.io

Or email directly: security@tabba.io

In Scope

Report These

Authentication bypass or privilege escalation
SQL injection, XSS, or other injection attacks
Server-side request forgery (SSRF)
Sensitive data exposure
Access control issues

Out of Scope

Don't Report

Social engineering attacks
Physical attacks against Tabba infrastructure
Denial of service (DoS/DDoS)
Spam or social media account takeovers
Issues in third-party dependencies (report to maintainers)

Response Timeline

Acknowledgment: 48 hours
Initial Response: 5 business days
Resolution: 90 days (varies by severity)

Please give us reasonable time to fix vulnerabilities before public disclosure. We commit to acknowledging reports within 48 hours and providing regular updates.

Security

Security Certifications & Third-Party Assessments

Infrastructure Security

Third-Party Subprocessors

Data Handling & Retention

Data Lifecycle

Data Categories

Account InformationMinimal

Usage DataAnonymized

Financial RecordsEncrypted

AI PromptsEphemeral

Privacy Mode

Data Flow

AI Providers

Account Deletion & GDPR Rights

Deletion Process

Vulnerability Disclosure Policy

Security

Security Certifications & Third-Party Assessments

Infrastructure Security

Third-Party Subprocessors

Data Handling & Retention

Data Lifecycle

Data Categories

Account InformationMinimal

Usage DataAnonymized

Financial RecordsEncrypted

AI PromptsEphemeral

Privacy Mode

Data Flow

AI Providers

Account Deletion & GDPR Rights

Deletion Process

Vulnerability Disclosure Policy