Trust Center
Tim handles your work. We take that seriously. This page is the authoritative source for our security posture, compliance status, and the controls we put in place — kept current alongside the codebase, not in a dusty PDF.
Last reviewed 2026-05-04.
Encryption
- Per-workspace Fernet envelope encryption for memory + transcripts
- TLS 1.2+ end-to-end on every API edge
- Workspace KEK rotation supported (90-day max key age)
- ACS Calling audio handled in MS-eligible regions only
SOC 2 Type II
- Type I report under finalization
- Type II observation window underway
- Audit-export endpoints + 7-year retention live
- Available under NDA — request below
GDPR
- Article 28 processor obligations honored
- Sub-processor list + DPA template available
- EU residency mode (microsoft_only) supported per workspace
- Subject access + erasure flows automated
ISO 27001
- Targeting Q4 2026 certification
- Controls already aligned via SOC 2 work
- Will publish certificate when issued
Documents
The following are available under NDA. Request via the form at the bottom of the page (or email trust@gettim.co).
- SOC 2 Type I reportAvailable now
- SOC 2 Type II reportAvailable Q3 2026
- Penetration test report (latest)Available now
- DPA template (Article 28)Self-serve PDF
- Sub-processor listSee below
- Security whitepaperSelf-serve PDF
- GDPR Records of Processing Activity (RoPA)On request
- Insurance certificate (cyber + E&O)On request
Sub-processors
Tim relies on the following sub-processors. Notice of changes is given 30 days in advance via the changelog at status.gettim.co.
| Provider | Purpose | Region | Data class |
|---|---|---|---|
| Microsoft Azure | Compute, storage, ACS Communications, Speech, OpenAI | EU + US | All customer data |
| Google AI Studio / Vertex AI | LLM inference (Gemini) | US (Vertex EU optional) | Prompts + completions |
| Anthropic | LLM inference (Claude) | US | Prompts + completions |
| Stripe | Billing + Issuing (commerce v1) | US/EU | Payment metadata |
| Pipedream | OAuth rail for 600+ third-party APIs | US | OAuth tokens |
| Sentry | Error monitoring | US | Stack traces (PII-scrubbed) |
| PostHog | Product analytics | EU | Anonymized events |
| SEC EDGAR (public) | G12 funding + exec-change signals (Form D, 8-K) | US | Public corporate filings |
| Google News RSS (public) | G12 news signal keyword sweeps | Global | Public news articles |
| Hacker News API (public) | G12 tech mention + Show HN signals | US | Public posts |
| Greenhouse / Lever public boards | G12 hiring-burst signal detection | US | Public job postings |
| Wikidata | G12 corporate metadata enrichment | Global | Public structured data |
| Companies House (UK) | G12 UK funding + officer-change signals | UK | Public corporate filings |
| HubSpot (workspace-connected) | G12 CRM sync (bi-directional) — contact + activity write; contact pull into Prospects | US/EU (workspace choice) | Prospect contact + activity log |
| Pipedrive (workspace-connected) | G12 CRM sync (bi-directional) — person + activity + deal write; person pull into Prospects | EU | Prospect contact + activity log |
| LinkedIn (workspace user OAuth) | G12 engagement signals + DM + post; workspace user's own account only | Global | Workspace user's LinkedIn activity |
| TechCrunch RSS | G12 funding + launch news firehose | US/Global | Public news article metadata |
| Reuters RSS | G12 corporate news firehose | Global | Public news article metadata |
| Bloomberg RSS | G12 markets + corporate news firehose | Global | Public news article metadata |
| Yahoo Finance RSS | G12 finance news firehose | US/Global | Public news article metadata |
| Bing News | G12 supplemental news search (Azure free tier) | Global | Public news article metadata |
| Crunchbase Pro (BYO key) | G12 premium funding depth — opt-in per workspace, key encrypted on workspace row | US | Public corporate funding records |
| Apollo (BYO key) | G12 prospect enrichment — opt-in per workspace | US | Prospect enrichment metadata |
| Clay (BYO key) | G12 prospect enrichment — opt-in per workspace | US | Prospect enrichment metadata |
| Lusha (BYO key) | G12 prospect enrichment — opt-in per workspace | US/EU | Prospect enrichment metadata |
| RB2B (BYO key) | G12 website-visitor identification — opt-in per workspace | US | Visitor identification signals |
Vulnerability disclosure
If you've found a security issue, please report it to security@gettim.co. PGP key on request. We respond within 24 hours and aim to ship a fix within 90 days for all confirmed issues. Public acknowledgment + bounty are available — see our full security policy.
- Initial response: ≤ 24 hours
- Triage decision: ≤ 5 business days
- Fix target: 90 days for critical/high; 180 days for medium
- Coordinated disclosure: standard 90-day window
System status
Live uptime + incident history.
Request documents
Send a one-line email describing what you need (SOC 2 letter, pen-test report, DPA) plus the company name to trust@gettim.co. Most documents land in your inbox within one business day.