Compliance
Tegendo.AI is committed to meeting the compliance requirements of enterprise organizations. This page outlines our current compliance posture, certifications, and roadmap.
Current compliance posture
Tegendo.AI implements security controls aligned with industry-standard frameworks. While we are in the process of obtaining formal certifications, our platform is designed and operated to meet the requirements of the following standards.
SOC 2 Type II
Status: In progress — audit scheduled
Tegendo.AI is pursuing SOC 2 Type II certification, which evaluates the design and operating effectiveness of controls related to security, availability, and confidentiality.
Our SOC 2 readiness includes:
| Trust Service Criteria | Implementation |
|---|
| Security | Encryption at rest (AES-256) and in transit (TLS 1.3), SSO/SCIM, RBAC, audit logging, vulnerability management |
| Availability | Multi-AZ deployment, automated failover, 99.9% uptime SLA, monitoring and alerting |
| Confidentiality | Tenant isolation via RLS, data retention policies, encryption, access controls |
| Processing Integrity | Input validation, automated testing, deployment pipelines with approval gates |
| Privacy | Data minimization, configurable retention, right to deletion, privacy policy |
GDPR
Status: Compliant by design
Tegendo.AI is designed to comply with the General Data Protection Regulation (GDPR) for organizations operating in or serving the European Union.
Key GDPR controls:
- Data Processing Agreement (DPA) — Available for all enterprise customers
- Data minimization — We collect only the data necessary to provide the service
- Right to access — Users can export all their data at any time
- Right to deletion — Users and admins can delete conversations and account data
- Data portability — Conversations can be exported in JSON format
- Configurable retention — Admins set retention periods aligned with their GDPR policies
- Breach notification — Customers are notified within 72 hours of a confirmed data breach
- Sub-processors — We maintain a list of sub-processors (AI providers, infrastructure) and notify customers of changes
Tegendo.AI can be configured to route data through EU-based infrastructure for organizations with data residency requirements. Contact sales@tegendo.ai for EU data residency options. HIPAA
Status: Roadmap — 2026
Tegendo.AI does not currently hold HIPAA certification and should not be used to process Protected Health Information (PHI). HIPAA compliance is on our roadmap for 2026, including:
- Business Associate Agreement (BAA)
- PHI encryption and access controls
- Audit logging meeting HIPAA requirements
- Workforce training and policy documentation
CCPA / CPRA
Status: Compliant
Tegendo.AI complies with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Users can request access to their personal data
- Users can request deletion of their personal data
- We do not sell personal data to third parties
- Our privacy policy discloses data collection practices
AI provider compliance
Tegendo.AI integrates with AI providers under enterprise agreements that include data protection commitments:
| Provider | Agreement | Training data opt-out | Data retention |
|---|
| Anthropic | Enterprise API agreement | Yes — data not used for training | Not retained after processing |
| OpenAI | Enterprise API agreement | Yes — data not used for training | Not retained after processing |
| Google (Gemini) | Enterprise API agreement | Yes — data not used for training | Not retained after processing |
These commitments apply when using Tegendo.AI’s managed API keys or BYOK with enterprise-tier provider accounts. If your organization uses consumer-tier provider API keys via BYOK, the provider’s consumer data policies may apply.
Security practices
Vulnerability management
- Dependency scanning — Automated scanning of all dependencies for known vulnerabilities using Dependabot and Snyk
- Container scanning — Docker images are scanned before deployment
- Static analysis — Code is analyzed for security issues during CI/CD
- Penetration testing — Annual third-party penetration testing
- Bug bounty — Responsible disclosure program for security researchers
Business continuity
- Backups — Database backups every 24 hours with 30-day retention
- Disaster recovery — Recovery point objective (RPO) of 24 hours, recovery time objective (RTO) of 4 hours
- Multi-AZ — Infrastructure deployed across multiple AWS availability zones
- Incident response — Documented incident response plan with defined escalation procedures
Employee security
- Background checks — All employees undergo background checks
- Security training — Mandatory security awareness training annually
- Least privilege — Employees are granted minimum necessary access
- Access reviews — Quarterly reviews of employee access to production systems
Compliance roadmap
| Standard | Status | Target date |
|---|
| SOC 2 Type II | Audit in progress | Q3 2026 |
| GDPR | Compliant | Current |
| CCPA / CPRA | Compliant | Current |
| HIPAA | Planned | Q4 2026 |
| ISO 27001 | Planned | Q1 2027 |
| FedRAMP | Evaluating | TBD |
Requesting compliance documentation
Enterprise customers can request:
- SOC 2 readiness report
- Data Processing Agreement (DPA)
- Security questionnaire responses
- Vendor risk assessment documentation
- Sub-processor list
Contact security@tegendo.ai or your account manager to request documentation.
