MENUCLOSE
Security
A control plane your CISO can sign off on.
Tallin is the runtime control plane for AI use by humans, apps, and agents. Built for financial services and other regulated teams that need to own every AI actor, cap runaway agent spend, govern model access, prove it with honest evidence, and keep strong customer data boundaries around provider credentials.
Certifications & audits
Honest trust signals, without pretending the program is older than it is.
- SOC 2 Type I
- In progressTargeting Q3 2026 with an independent audit firm. Current controls are being mapped to the trust services criteria now.
- External penetration test
- PlannedScheduled after the pilot cohort. Timing is still TBD, and the resulting executive summary will be available under NDA.
- Vulnerability disclosure
- Open channelSend reports to security@gettallin.com. PGP support is optional and will be published when a public key is available.
Data handling
Built around customer data boundaries and auditable access.
Tallin handles provider credentials, per-actor spend, model-scope policy, and audit evidence with conservative defaults for regulated operators.
Hosted gives you the strongest, most immediate central control. For banks, hospitals, and regulated teams that need data to stay put, the gateway can run in your own VPC, so prompts and content stay resident inside your network and policy is enforced where the traffic lives.
Sub-processors
The vendors behind the service.
Tallin keeps this list plain so security, compliance, and procurement teams can review what each vendor is used for.
| Vendor | Purpose | Data accessed | Region |
|---|---|---|---|
| Vercel | Hosting and serverless functions | Application traffic and serverless runtime data | US primary |
| Neon (Postgres) | Primary database | Customer data at rest | US |
| Resend | Transactional email | Email addresses and message content | US |
| Stripe | Billing and payments | Billing details only | US |
| Anthropic | AI API for in-product summaries and drafting | Governance metadata and prompts only when an AI feature is used | US |
| OpenAI | AI API fallback for in-product summaries and drafting | Governance metadata and prompts only when an AI feature is used | US |
Compliance documents
Review the legal baseline.
Reporting a vulnerability
Security reports go directly to the founder.
Send vulnerability reports to security@gettallin.com. Tallin acknowledges reports within 2 business days, honors the scope of disclosure, and will not pursue legal action against good-faith researchers acting within that scope.