Trust Center

We hold ourselves to the same standard.

Security is the product. Here's how we run our own program — the frameworks we follow, the safeguards we operate, and how to ask us anything.

Our own standards

Built on the principles we ask of you.

Talarity's own security and privacy program follows the same disciplines we help our customers run. The principles we measure your program against are the principles we operate by.

Defense in depth, by design

Encryption at rest and in transit, layered access controls, anti-abuse on every callable. The same multi-layer thinking we help customers operationalize.

Least privilege, by default

Access is granted by role, scoped tight, and audited continuously. No standing admin, no shared accounts. Identity is the perimeter.

Privacy as a first-order concern

Customer data flows are governed by the question 'should this happen?' before 'can it?' Data minimization, purpose limitation, and clear retention shape every design decision.

Continuous improvement, by practice

Our security and privacy program is reviewed regularly, validated against the disciplines we help our customers run, and improved as the threat landscape evolves.

Security architecture

Defense in depth.

Encryption

TLS 1.3 in transit. AES-256 at rest. Customer-managed keys available on Enterprise.

Authentication

SSO/SAML/OIDC, optional MFA enforcement, SCIM provisioning, App Check on every callable.

Access control

Three-layer RBAC: route registry, dispatcher, handler. Org-group feature gating. Least-privilege by default.

Audit logs

60+ event types, immutable, hash-chained. Available via UI export and API.

Data residency

US-Central by default. Multi-region available on Custom contracts.

Backup + recovery

Point-in-time PostgreSQL backups, daily Firestore exports, documented RTO/RPO targets.

AI safety

No magic, no surprises.

Customer data isn't training data. Outputs are sourced. Budgets are visible.

Trust, but verify

We continuously refine the inputs, prompts, and guardrails we provide our AI features so outputs are sourced and every claim is traceable. AI assists — it never replaces — and we keep working to reduce hallucination as the technology matures.

Bring your own LLM (AI Insights module)

For customers of our AI Insights module: plug in your preferred LLM via API key — OpenAI, Anthropic, or another provider. The module includes limited access to our AI infrastructure so you can get started immediately, then route through your own model when you're ready.

No model training on data

Customer data is never used to train models. We don't share data with our LLM providers beyond the inference call.

Org-level control

AI features can be disabled or scoped at the org level. Default-off for regulated tenants on request.

Sub-processors

Who we share data with.

A current list of sub-processors is at /legal/sub-processors. We notify customers before changes.

View list
Security questionnaire

CAIQ, SIG, or VSAQ on file.

Procurement working through standard security questionnaires? We respond within five business days under NDA.

Request our response

Have a security question?

Email security@talarity.com or use the contact form. We answer within one business day.

Contact us See platform