Compliance & Security

Built for regulated industries — and the teams inside them

Tropic ships agents for healthcare, finance, and public sector customers. We hold the certifications they need and the contract terms their legal teams actually sign.

Certifications & frameworks

SOC 2 Type II

Active

Independently audited by Prescient Assurance. Reports available under NDA via [email protected].

HIPAA

Active (BAA available)

Covered-entity and business-associate agreements available for Enterprise customers handling PHI.

GDPR

Active

EU Data Processing Addendum available. Sub-processor list published and monitored.

ISO 27001

In audit — Q3 2026

Currently in stage-two audit. Controls in production since Q4 2025.

PCI DSS

Level 4 merchant

No card data stored on Tropic infrastructure. Payment processing via Stripe / Razorpay.

CCPA / CPRA

Active

Verifiable consumer requests honored within 30 days via [email protected].

How we run the platform

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest (customer content, backups, logs). Per-tenant encryption keys on Enterprise.

Key management

Keys live in AWS KMS with automatic rotation. HSM-backed on Enterprise. BYOK via CMK on request.

Access controls

SSO/SAML + SCIM. Role-based permissions. Every admin action logged with tamper-evident audit trail.

Deployment options

Multi-tenant SaaS (default), VPC single-tenant, on-premises, and air-gapped. Pick the isolation your compliance demands.

Data residency

US, EU, UK, APAC regions available. Per-workspace residency pinning on Enterprise.

Incident response

24/7 on-call. Customer notification within 72h of confirmed breach. Post-mortems published for every SEV-1.

Our data promises

The commitments that matter, written in plain English — not buried in a DPA.

We do not train foundation models on your content. Ever.
We do not share your data with third parties beyond the declared sub-processors.
You retain ownership and copyright of every prompt, document, and conversation.
You can export or delete 100% of your data on demand — no retrieval fees, no 'archive' traps.
We publish our sub-processor list publicly and alert you 30 days before any change.

Need our SOC 2 report, DPA, or HIPAA BAA?

Email [email protected] — you'll get all standard documents within one business day.

Read security overview

Talk to a solutions engineer

We'll walk through your compliance checklist and help you pick the right deployment.

Contact Sales Security details

Compliance & Security

Built for regulated industries — and the teams inside them

Tropic ships agents for healthcare, finance, and public sector customers. We hold the certifications they need and the contract terms their legal teams actually sign.

Certifications & frameworks

SOC 2 Type II

Active

Independently audited by Prescient Assurance. Reports available under NDA via [email protected].

HIPAA

Active (BAA available)

Covered-entity and business-associate agreements available for Enterprise customers handling PHI.

GDPR

Active

EU Data Processing Addendum available. Sub-processor list published and monitored.

ISO 27001

In audit — Q3 2026

Currently in stage-two audit. Controls in production since Q4 2025.

PCI DSS

Level 4 merchant

No card data stored on Tropic infrastructure. Payment processing via Stripe / Razorpay.

CCPA / CPRA

Active

Verifiable consumer requests honored within 30 days via [email protected].

How we run the platform

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest (customer content, backups, logs). Per-tenant encryption keys on Enterprise.

Key management

Keys live in AWS KMS with automatic rotation. HSM-backed on Enterprise. BYOK via CMK on request.

Access controls

SSO/SAML + SCIM. Role-based permissions. Every admin action logged with tamper-evident audit trail.

Deployment options

Multi-tenant SaaS (default), VPC single-tenant, on-premises, and air-gapped. Pick the isolation your compliance demands.

Data residency

US, EU, UK, APAC regions available. Per-workspace residency pinning on Enterprise.

Incident response

24/7 on-call. Customer notification within 72h of confirmed breach. Post-mortems published for every SEV-1.

Our data promises

The commitments that matter, written in plain English — not buried in a DPA.

We do not train foundation models on your content. Ever.
We do not share your data with third parties beyond the declared sub-processors.
You retain ownership and copyright of every prompt, document, and conversation.
You can export or delete 100% of your data on demand — no retrieval fees, no 'archive' traps.
We publish our sub-processor list publicly and alert you 30 days before any change.

Need our SOC 2 report, DPA, or HIPAA BAA?

Email [email protected] — you'll get all standard documents within one business day.

Read security overview

Talk to a solutions engineer

We'll walk through your compliance checklist and help you pick the right deployment.

Contact Sales Security details