Built to handle confidential M&A data.

SOC 2 Type II readiness is in progress. We are operating against the Trust Services Criteria for security, availability, and confidentiality. We are targeting our SOC 2 Type II report by Q4 2026.

A current readiness status letter is available on request under mutual NDA.

All traffic to and from the platform is encrypted in transit using TLS 1.2 or higher. Customer data at rest is encrypted using AES-256 via our infrastructure providers.

Customer credentials are never stored on Taia infrastructure; authentication uses short-lived tokens issued by our auth provider. Secrets and API keys are stored in managed secret stores, never in source code or logs.

Authentication is enforced with mandatory multi-factor authentication for all accounts with production access. Production access is restricted to a documented set of personnel with role-based privileges and a clear business need.

Staff access to customer deal data through the platform’s authenticated interface is limited, logged, and reviewed. Access is reviewed quarterly and revoked within one business day of offboarding.

Customer data is hosted on infrastructure located in the United States and logically isolated per tenant. Isolation is enforced at the API layer, with database row-level security as defense in depth.

Customers do not have direct database access; all data flows through Taia’s authenticated platform. Infrastructure providers carry SOC 2 Type II or ISO 27001 attestations.

Taia does not train, fine-tune, or otherwise use customer data to improve any AI model. The files and data you submit and the analyses Taia generates from them are used to deliver services to you. Where Taia uses third-party large language model providers, those providers operate under enterprise terms that prohibit training on customer inputs, and Taia configures these workloads for zero data retention where available.

As a platform, Taia does retain de-identified and aggregated patterns that (i) feed its benchmark database and (ii) improve platform performance. Taia never retains or shares raw customer data. Customers can opt out of (i) and/or (ii). Improvements and patterns Taia derives from platform usage are Taia’s intellectual property. Customers do not acquire derivative works rights in those patterns through their engagement with the system.

Customer data is retained for the duration of your subscription. On contract termination or written deletion request, hard deletion completes within 7 days, reflecting our database provider’s rolling backup retention window. De-identified and aggregated patterns retained for benchmarks or platform performance (subject to your opt-out election) survive termination, consistent with their status as Taia’s intellectual property.

A current list of sub-processors, the data they receive, and links to their data processing terms is provided to customers under mutual non-disclosure as part of vendor due diligence. Email legal@taiatech.com to request a copy.

Taia will notify customers of sub-processor changes — additions or removals — at least 30 days in advance, providing the right to object per the DPA.

Dependencies are monitored for known vulnerabilities through automated tooling. Incident response procedures are being documented as part of Taia’s SOC 2 readiness. Security incidents affecting customer data will be communicated to the affected customer within 24 hours of confirmation.

Responsible disclosure of suspected vulnerabilities is welcome at legal@taiatech.com.