Last updated: June 15, 2026
Tamloot is built for professionals who run on conversations — coaches, therapists, consultants, advisors, and the many others whose work depends on what happens in a 1-on-1. Those conversations are deeply personal, so security and privacy aren’t features we added — they shape every layer of the platform and every decision we make about your data.
Security contact: security@tamloot.ccWhere we stand today on the standards that matter to the people who trust us with sensitive conversations.
An independent audit of our security controls is underway, with the Type I report expected soon.
A Type II report covering the sustained operation of our controls will follow Type I.
We are building out our information security management system toward ISO 27001 certification.
We follow GDPR data-protection principles and provide a Data Processing Agreement (DPA) on request.
AES-256 at rest and TLS 1.2+ in transit protect your data everywhere it lives or moves.
PostgreSQL Row-Level Security guarantees each user can only ever access their own data.
SOC 2 and ISO 27001 are independent attestations. We will only describe ourselves as “certified” once the relevant report is issued by the auditing firm; until then these reflect work in progress.
Every piece of data moves through a pipeline designed for confidentiality at every step:
All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Row-Level Security in our database ensures complete user isolation — your data is never accessible to other users.
A selection of the technical and organizational controls that protect Tamloot, grouped by area.
The following vendors process data on our behalf to deliver Tamloot.
We maintain Data Processing Agreements (DPAs) with our subprocessors, and can provide our own DPA to customers on request. Contact us at privacy@tamloot.cc to request one.
| Vendor | Purpose | Data accessed | Region |
|---|---|---|---|
| Supabase | Database, authentication & storage | All application data (encrypted at rest) | Tokyo (ap-northeast-1) |
| AWS | Audio storage, compute & logs | Audio files, compute | Frankfurt (eu-central-1) |
| Anthropic | AI notes, meeting prep & copilot | Transcripts (not used for model training) | United States |
| ElevenLabs | Speech-to-text transcription | Audio recordings | United States |
| Vercel | API & web hosting | Data in transit | United States |
| Recall.ai | Desktop session recording | Session audio/video | United States |
| Hookdeck | Webhook routing | Webhook payloads (in transit) | Vendor-managed |
| Cloudflare | DNS, CDN & edge | Traffic metadata | Global edge |
| Authentication & calendar | OAuth tokens, calendar events | Vendor-managed | |
| Sentry | Error monitoring | Diagnostics (PII-minimized) | Vendor-managed |
| PostHog | Product analytics | Usage events (content masked) | United States |
| Lemon Squeezy | Payments | Billing metadata, email | United States |
| Resend | Transactional email | Email addresses & content | Vendor-managed |
Additional channels (such as Telegram or WhatsApp) only process data for users who explicitly connect them. Content you export to your own destinations (e.g. Google Docs) becomes a copy you control.
Security documentation is available to customers and prospects on request. Reach out and we’ll share what you need.
For complete details, see our Privacy Policy.
We maintain a documented incident response process and breach notification procedure. In the event of a security incident affecting your data:
To report a security concern or potential vulnerability, contact us at security@tamloot.cc.
Have questions about our security posture, how we handle data, or how we protect the people you work with? Need a Data Processing Agreement or our security documentation? We’re here to help.
security@tamloot.cc