Security

A control plane your CISO can sign off on.

Tallin is the runtime control plane for AI use by humans, apps, and agents. Built for financial services and other regulated teams that need to own every AI actor, cap runaway agent spend, govern model access, prove it with honest evidence, and keep strong customer data boundaries around provider credentials.

Certifications & audits

Honest trust signals, without pretending the program is older than it is.

SOC 2 Type I
In progressTargeting Q3 2026 with an independent audit firm. Current controls are being mapped to the trust services criteria now.
External penetration test
PlannedScheduled after the pilot cohort. Timing is still TBD, and the resulting executive summary will be available under NDA.
Vulnerability disclosure
Open channelSend reports to security@gettallin.com. PGP support is optional and will be published when a public key is available.

Data handling

Built around customer data boundaries and auditable access.

Tallin handles provider credentials, per-actor spend, model-scope policy, and audit evidence with conservative defaults for regulated operators.

Hosted gives you the strongest, most immediate central control. For banks, hospitals, and regulated teams that need data to stay put, the gateway can run in your own VPC, so prompts and content stay resident inside your network and policy is enforced where the traffic lives.

Workspace-isolated architecture with row-level security in PostgreSQL. Each customer's data is logically isolated at the database row level.
Encryption in transit: TLS 1.2+ on all application and API endpoints.
Encryption at rest: AES-256 for customer credentials using envelope encryption with workspace-scoped keys.
Audit logging on admin actions retained for the duration of the customer contract.

Sub-processors

The vendors behind the service.

Tallin keeps this list plain so security, compliance, and procurement teams can review what each vendor is used for.

VendorPurposeData accessedRegion
VercelHosting and serverless functionsApplication traffic and serverless runtime dataUS primary
Neon (Postgres)Primary databaseCustomer data at restUS
ResendTransactional emailEmail addresses and message contentUS
StripeBilling and paymentsBilling details onlyUS
AnthropicAI API for in-product summaries and draftingGovernance metadata and prompts only when an AI feature is usedUS
OpenAIAI API fallback for in-product summaries and draftingGovernance metadata and prompts only when an AI feature is usedUS

Reporting a vulnerability

Security reports go directly to the founder.

Send vulnerability reports to security@gettallin.com. Tallin acknowledges reports within 2 business days, honors the scope of disclosure, and will not pursue legal action against good-faith researchers acting within that scope.