Thaliq
Get started
Trust center

Built for compliance from day one.

Thaliq is the agentic layer your business runs on, which means every conversation, tool call and HITL decision moves through our infrastructure. This page is the honest answer to "what happens to our data when we use Thaliq."

Talk to security Email security
Compliance

Where we stand on certifications.

Status reflects today, not the marketing version. When something flips state, this page updates the same day.

SOC 2
Type II
In progress · Q4 2026
GDPR
EU data protection
DPA available
ISO 27001
Information security mgmt
In progress · Q1 2027
HIPAA
US health data
BAA on request · Enterprise
Posture

Four pillars under every Thaliq tenant.

We optimised the platform for multi-tenant by default, not as a feature. Here's how that shows up in your security posture.

01
Data isolation
Each tenant has its own row-level scope across PostgreSQL, DynamoDB and S3. Conversations, RAG documents and audit logs never share storage. A misrouted query returns nothing instead of someone else's data.
02
Identity & access
We don't ship our own identity provider. Your IdP (Okta, Auth0, Azure AD, Google Workspace) is the source of truth. JWTs pass through to each tool call, so the agent acts with the asking user's permissions — not a service account.
03
Audit by default
Every turn writes a record: who asked, which agent answered, which tools were called, the cost, the model used. Replay any conversation. Filter by tool failure or escalation cause. Audit retention follows your plan (7 / 30 / 90 days, or configurable on Enterprise).
04
Hardened operations
Hosted on AWS (us-east-1 with eu-west-1 on Enterprise). Encryption in transit (TLS 1.2+) and at rest (AES-256). Backups every 24h with point-in-time recovery. Incidents follow a documented runbook with on-call rotation.
Data handling

What we store. What we never store.

The shortest version of our security story. If you only read one section, read this one — it tells your legal team what they actually need to know.

What we store
  • Conversation messages
    Per tenant, encrypted at rest. Retention follows your plan.
  • Agent specifications
    Versioned snapshots so you can roll back. Stored per tenant.
  • Audit logs
    Who · what · when · cost — for compliance and forensics.
  • Tool call metadata
    Name, duration, success/failure, model used. Not payload contents.
  • RAG documents
    Only the documents you explicitly upload to your agent.
What we never store
  • ×
    Customer API tokens
    Passed through to tools on each call; never persisted on our side.
  • ×
    LLM provider keys
    On BYOK, the key lives in your secret manager. We never see it.
  • ×
    Raw tool payloads
    We log the shape of a tool call, not the contents. Your end-user PII stays in your systems.
  • ×
    End-user passwords
    Authentication happens at your IdP. We only see the resulting JWT claims.
  • ×
    Conversations from churned tenants
    Hard-deleted 30 days after offboarding. No long-tail data hoarding.
Subprocessors

Who else touches your data.

Honest list of the third parties that process tenant data on our behalf. Updated whenever a subprocessor changes. Enterprise tenants get notified 30 days before any change.

Provider Purpose Region
Anthropic Claude inference (default) us-east-1
AWS Compute · storage · DB · CDN us-east-1 · eu-west-1 (Enterprise)
Upstash Redis cache Global edge
Voyage AI RAG embeddings us-east-1
LangFuse Observability (Thaliq admin only) us · self-hosted on Enterprise

BYOK customers can route inference to their own Anthropic / Bedrock account, removing Anthropic as a Thaliq subprocessor for their tenant.

Documents

Legal and compliance artefacts.

We have these on hand and can send them via NDA. We do not publish them in full to keep clauses fresh and to control distribution.

DPA — Data Processing Agreement
GDPR-aligned. Standard contractual clauses included.
Available on request
BAA — Business Associate Agreement
HIPAA. Only signed on Enterprise plans with active healthcare workload.
On request · Enterprise
MSA — Master Service Agreement
Standard for Enterprise and PAYG customers. Negotiable terms.
Available on request
Privacy policy
How we handle data of users on our website and product.
Coming soon
Terms of service
Self-serve plan terms. Required for Free / Builder / Scale.
Coming soon
SOC 2 report
Full Type II report available once certification completes.
When certified · Q4 2026
Vulnerability disclosure

Found something? We want to know.

We don't run a public bug bounty yet, but we respond to responsible disclosure quickly. Reach out to the address below; we will acknowledge within 24 hours and coordinate a fix window.

Email hola@thaliq.com
  • · We acknowledge critical reports within 24 hours.
  • · Standard disclosure window is 90 days, negotiable based on severity.
  • · No legal action against good-faith research that follows this policy.
  • · Hall-of-fame on this page for accepted reports (with your consent).

Need to deep-dive before signing?

We will get on a call with your security team, walk through controls, share what we can under NDA, and answer the awkward questions. No marketing, no slides — engineers who can answer.

Talk to security Email security