Trust Center
This page summarizes our current security posture, data handling practices, subprocessors, and procurement-relevant operating controls for evaluation by security and vendor-review teams.
TTXLab processes customer data to deliver exercise workflows, reports, and governance tracking features. We do not use customer data to train foundation models. AI providers receive exercise data via API calls only, with no training rights. Data access is organization-scoped and controlled by authenticated membership and authorization checks.
Platform traffic is encrypted in transit using TLS 1.3. Data stored by TTXLab-managed services is encrypted at rest using AES-256 via provider-managed keys (Convex for database, Vercel for edge/serverless). Tenant data is logically isolated by organization identifiers and access checks on every protected operation.
Authentication is powered by Convex Auth with email magic links for members and invite-scoped guest sessions for exercise participants. Workspace operations enforce organization membership before data is returned. Privileged actions are restricted to authorized roles.
Audit-relevant lifecycle events are captured for major exercise and report actions. We use this operating history to support readiness reviews, follow-up action tracking, and evidence collection for internal stakeholders.
Exercise data, reports, and account information are retained while accounts are active. Customers can request data export or deletion by contacting support@ttxlab.com. Deletion requests are processed within 30 days, subject to any legal retention obligations. See the Privacy Policy for full retention details.
TTXLab is actively working toward SOC 2 Type II readiness. This certification has not yet been achieved. We are maturing controls, formalizing policies, and aligning with Trust Services Criteria. We will only represent formal attestation after an independent audit is complete. Customers remain responsible for user lifecycle decisions, scenario content, and how exported artifacts are handled after leaving the platform.
TTXLab uses two AI providers for exercise workflows. Both are accessed via the Vercel AI Gateway as API-only integrations. Exercise data is processed through API calls and is not used for model training by either provider.
The following vendors process customer data as part of TTXLab platform operations. This list is maintained as subprocessors are added or changed.
| Vendor | Purpose | Data Categories | Location |
|---|---|---|---|
| Vercel | Hosting, CDN, serverless compute | Request data, static assets | US |
| Convex | Backend database, real-time sync | All platform data | US |
| Anthropic | AI adjudication and scoring | Exercise transcripts (API-only) | US |
| AI facilitation | Exercise prompts (API-only) | US | |
| PostHog | Product analytics (with consent) | Anonymized usage data | US |
| Resend | Transactional email | Email addresses, names | US |
| Loops | Email marketing | Email, marketing preferences | US |
| Polar | Billing and payments | Payment, subscription data | US |
| Sentry | Error monitoring | Error context, stack traces | US |
TTXLab operates on monitored infrastructure with active incident response. We use Vercel's globally distributed edge network and Convex's real-time backend to maintain platform responsiveness. Service health is monitored continuously, and the team is alerted to degradation or outage conditions.
We do not currently publish a specific uptime percentage commitment for self-serve plans. Enterprise contracts may define stricter SLA terms, availability targets, and incident response timelines based on organizational requirements. Contact us via the contact page to discuss enterprise SLA options.
Review these resources for additional detail on data handling, legal terms, and security controls:
Need a security package for vendor review? Request a security package through our contact page and we will provide available documentation for your procurement or security review process.
