Security FAQ

Your data is stored in Neon PostgreSQL databases in the United States, with file attachments in Cloudflare R2 (global edge). All data is encrypted at rest (AES-256) and in transit (TLS 1.3).

We use Google Gemini for real-time analysis and strategy generation, and Microsoft Azure for speech-to-text. Your data is NEVER used to train any AI models. All processing is session-based and ephemeral.

We implement input/output filtering for prompt injection attacks, isolate AI system prompts, and automatically scan AI outputs for sensitive data like API keys, tokens, and personally identifiable information.

Meeting audio is processed in real-time via encrypted WebSocket connections. Transcripts are stored encrypted in our database. Recordings uploaded to cloud storage are encrypted at rest.

You can delete your account from Settings. Deletion has a 30-day grace period (you can restore during this time), after which all data is permanently removed in compliance with GDPR Article 17.

We implement per-user rate limiting, cost anomaly monitoring, and automatic throttling. Unusual consumption patterns trigger alerts and temporary restrictions.

Payment is processed entirely by Paddle (our Merchant of Record). Your credit card information never touches our servers. Paddle is PCI DSS Level 1 certified.

Enterprise SSO and custom security requirements are available on our Enterprise plan. Contact us at security@tanpan.ai for details.

We carefully vet all subprocessors for security certifications (SOC 2, ISO 27001). Data shared with subprocessors is minimized to what's strictly necessary for their function.

Please email security@tanpan.ai with details. We follow a Responsible Disclosure policy — we won't take legal action against good-faith security researchers and will credit you in our Security Hall of Fame.