Security.

Tegan is a young product in active build with paying private-beta customers. The basics are in place; the auditor-stamped certifications are not. We'd rather tell you what's real than ship a trust page that overpromises.

• TLS 1.2+ in transit. Encryption at rest on managed cloud storage.
• Per-tenant data isolation — knowledge bases, transcripts, and recordings are scoped to a single workspace.
• Production access limited to a small engineering team with audited logins.
• No persistent storage of voice audio outside session recordings the customer can review and delete.

The marketing site runs on Cloudflare Workers Static Assets. The product runs on a hardened Cloudflare + managed-database stack with standard regional redundancy. Sub-processors include voice and transcription model providers under data-processing agreements. The current list is available on request.

Customer sign-in is magic-link only — no passwords stored, no password-reset blast radius. Each workspace supports multiple team members with permission roles (Owner / Editor / Reviewer). SSO and SCIM are on the enterprise roadmap.

Before a conversation begins, end users see a clear notice that the call is recorded. Screen-share is opt-in per session via the browser's native permission prompt — never forced. End users can end the call at any time and the microphone closes immediately.

We welcome responsible disclosure. If you've found a security issue, write to security@tegan.ai. We'll acknowledge within two business days and keep you updated through resolution. We don't currently run a paid bug-bounty program but recognise contributors publicly with permission.

If we detect a security incident affecting customer data, we'll notify the affected customers without undue delay with what we know, what we're doing, and what they should do. The standard for “undue delay” is within 72 hours of confirmed scope, in line with GDPR expectations.

We are pre-SOC 2. A formal SOC 2 Type II program is on the roadmap and is the gating item for our enterprise tier. Tegan is not currently suitable for HIPAA-regulated workflows; if PHI is in scope, please use a different tool.

Customers can request our most recent security questionnaire responses and sub-processor list by emailing security@tegan.ai.

Today, production data is hosted in cloud regions in the United States and the European Union. Regional pinning per workspace is on the enterprise roadmap.

Keep your magic-link email account secured with MFA. Use per-person team logins instead of shared accounts. Don't paste secrets into agent knowledge sources or call transcripts — if you spot one in a recording, you can delete that session from the dashboard.