We’re an early-stage company. We don’t have SOC 2 Type 2 yet. We’re working toward it, but formal audits take time.What we do have: the technical controls and operational practices that SOC 2 verifies. We implement proper access management, encryption, change control, incident response, and vendor oversight. We run like we’re already audited because that’s how you build secure software.If you need certifications now, self-hosting the control plane gives you a path forward. When Tero runs in your infrastructure, it inherits your compliance boundary. Your existing SOC 2, ISO 27001, or HIPAA certifications cover it. You include Tero in your audits rather than waiting for ours.
The deployment model changes the compliance story.Tero-hosted control plane - We process your metadata. You’re evaluating us as a vendor. You need our security practices, our certifications, our audit reports. Standard vendor risk assessment.Self-hosted control plane - We provide software you run. All your data stays in your infrastructure. Tero never processes customer data. This becomes internal software deployment, not vendor data processing. You control the compliance boundary.Self-hosting doesn’t eliminate compliance work. You need to evaluate the software, include it in your audits, and maintain proper controls. But you’re not waiting on our certification timeline. You’re using your own.
GDPR - We’re compliant. We have a Data Processing Agreement with Standard Contractual Clauses. We document data flows, retention periods, and sub-processors. We support data subject rights (access, deletion, portability).CCPA - We’re compliant. We don’t sell personal data. We honor opt-out requests. We maintain records of data processing activities.HIPAA - We don’t process protected health information in normal operation. The semantic catalog captures metadata about telemetry structure, not the content. If your logs contain PHI, self-host the control plane and use your own Business Associate Agreement.Data residency - Our control plane runs in GCP us-central1 (Iowa). If you need data to stay in specific geographic regions, self-hosting gives you complete control.
When you evaluate Tero as a vendor, you care about our sub-processors. Who else touches your data? Where does it go?We minimize third parties. GCP hosts the infrastructure. WorkOS handles SSO authentication. OpenAI processes semantic understanding (you can configure other providers). Stripe processes payment for self-service customers (enterprise pays by invoice).Full sub-processor list available on the Sub-Processors page. We notify customers before adding new sub-processors that handle data.
Need to stay within your approved vendors? Self-host the control plane and configure AI processing through your approved providers (AWS Bedrock, Azure OpenAI). Your infrastructure, your vendors, your compliance.
SOC 2 Type 2 - Planned for 2026. We’re implementing controls now so the audit documents what we already do rather than building during the audit process.Penetration testing - Scheduled for Q1 2025. Third-party security firm, comprehensive testing of control plane and edge components.Audits take as long as they take. We’re not rushing certifications at the expense of actual security. Proper controls first, certifications follow.
We don’t wait for audits to implement controls. Here’s what we do today:Access controls - Role-based access, MFA required, least privilege, temporary production access with approval and expiration.Encryption - TLS 1.3 in transit, AES-256 at rest, proper key management through GCP KMS, daily encrypted backups.Change management - Required code review, staging environment testing, automated test suites, documented rollback procedures.Incident response - Documented plan, 24-hour notification for security incidents, post-incident analysis and remediation.Vendor management - Risk assessment for all sub-processors, documented data flows, contractual security requirements.Security monitoring - Automated threat detection, comprehensive audit logging, vulnerability scanning, GCP Security Command Center integration.Employee security - Background checks, security training, managed devices, access revocation on departure.These controls map to SOC 2 Trust Service Criteria. The certification verifies we actually do what we say. We’re building for the audit, not building during the audit.
Data Processing Agreement - Standard DPA with SCCs for GDPR compliance. Covers data handling, security commitments, sub-processors, data subject rights.Security questionnaires - We respond to SIG, CAIQ, VSA, and custom security questionnaires. Turnaround typically 5-7 business days.Architecture documentation - Technical diagrams, data flow documentation, security controls mapping. For your security review process.Audit reports - SOC 2 Type 2 and penetration test reports available after completion (2026 and Q1 2025 respectively).
