Trust Center
Security & compliance, in plain terms
Toran is a tool for the moment a stranger turns into a lead. That data — names, phone numbers, conversation context — matters. Here's exactly how we handle it, where it lives, who we share it with, and what you can do if something goes wrong.
Working draft. This page reflects the controls Toran has in place today. Specific clause wording is under legal review — request the latest signed copy via trust@toranhq.com if you need it for a procurement form.
Data controls — who owns what
Toran sits between you and the visitors on your website. That changes who's responsible for what under GDPR / DPDP / state privacy laws:
- You, the Toran customer, are the Data Controller for the visitor / lead data your widget collects. You decide what the widget asks for, how long you keep replies, and who in your team sees what.
- Toran is the Data Processor for that visitor / lead data — we receive it on your behalf, run the AI scoring, dispatch notifications to your channels, and store it so your dashboard shows it. We don't repurpose it.
- Toran is the Data Controller for your own account information (name, email, billing, plan tier). That data is handled per our Privacy Policy.
You can export, delete, or relocate the lead data you own via the dashboard. We will not sell, rent, or mine your leads for any purpose other than delivering the service.
Encryption, access & infrastructure
In transit
All traffic to toranhq.com, app.toranhq.com, and
cdn.toranhq.com uses TLS 1.2+ with Google Trust Services certificates auto-renewed
~30 days before expiry. Mixed-content is blocked at the CDN layer.
At rest
The Toran database (Supabase / PostgreSQL 17, EU-West region) encrypts at rest with AES-256. Object storage (Cloudflare R2) is AES-256. Daily backups are encrypted and retained per the schedule below.
Access controls
- Row-Level Security (RLS) enforced on every table. A customer can only see rows they own, full stop. No "ignore RLS" toggle in production.
- Multi-factor authentication required on all admin routes. Toran's internal admin dashboard requires AAL2 (TOTP) before rendering. No password-only admin access exists.
- Customer dashboard MFA available. You can require TOTP on your own Toran login from the Profile page.
- Production database access is logged. Audit logs are retained for forensics. Direct DB queries are reviewed.
Data residency
Primary data store is hosted in the EU (Supabase eu-west region, currently France). Sub-processors (Cloudflare, Resend, Google / Gemini, Paddle, Sentry) operate globally — see the full sub-processor list at /legal/subprocessors for region and purpose per vendor.
Retention
- Chat messages: 30 days, then automatically purged. You can shorten this in your widget settings; you can't extend it without an Enterprise contract.
- Leads & lead enrichment: kept while your account is active. On account cancelation, deleted within 30 days unless you export first.
- Notification logs: 90 days for debugging silent-failure paths.
- Account deletion: initiated from Profile → Delete Account. 7-day cooldown for accidental deletes, then full erasure within 30 days. Point-in-time backups expire ~14 days after deletion and are not restored on request.
Sub-processors
Toran uses a small, deliberate set of sub-processors. Each one has a single job. None of them get all the data — most see only the slice they need for their function.
The full list — including legal name, purpose, regions of operation, and the data categories each one touches — is at /legal/subprocessors. We give 30 days advance notice before adding or replacing a sub-processor; you can subscribe to changes by emailing trust@toranhq.com.
Data Processing Agreement (DPA)
Toran's DPA covers GDPR Article 28 obligations (technical & organizational measures, sub-processor approval, audit rights, breach response) and incorporates the EU Standard Contractual Clauses for any data transfer that involves a US sub-processor.
The current public draft is at /legal/dpa. For a counter-signed copy on your company letterhead — including the Annex I processing details for your specific use case — email trust@toranhq.com.
Incident response & breach notification
If we suspect or confirm a personal-data breach involving your data, we will notify you within 24 hours of confirmed detection — well inside the GDPR Article 33 72-hour controller-to-regulator window so you have time to discharge your own obligations.
Our notification will include:
- The categories and approximate volume of data records affected
- Likely consequences of the breach (in plain language)
- Measures we've taken or are taking to address it
- A named contact for follow-up questions
Internally, Toran's incident-response runbook covers triage, containment, eradication, recovery, and a post-mortem with action items. We test the runbook against a hypothetical incident at least once a year.
Erasure, DSAR & data export
You can exercise data-subject rights — access, correction, deletion, portability — for your own account, and on behalf of your customers (since you're the Controller for their data).
- Your own account: Profile → Export Data exports your settings, leads, and chat history as JSON. Profile → Delete Account starts the 7-day cooldown then permanently erases your data.
- On behalf of a visitor / customer: via dashboard tools, or by emailing privacy@toranhq.com — we will action within 30 days (often within 5 business days for straightforward requests).
- Point-in-time backups: we don't restore deleted records on request; backup snapshots expire ~14 days after deletion as part of normal rotation. This is a deliberate design choice to make "right to erasure" meaningful.
Certifications & roadmap
SOC 2 Type 1: targeted Q1 2027. SOC 2 Type 2: Q3 2027. ISO 27001: tracking for 2027 — final decision will follow buyer demand.
We're a solo-founder operation at launch. A real SOC 2 audit costs $20-30K and takes ~3 months — we will commit to the audit when we've crossed the threshold where one deal would pay for it, not before. In the meantime, this Trust Center documents the controls a SOC 2 audit would attest to. If your procurement team needs more, we'll share our pre-audit documentation under NDA.
Regional notes
GDPR (EU / UK / EEA)
Toran's data store is in the EU (Supabase eu-west / France). For sub-processors outside the EEA, we rely on the European Commission's adequacy decisions where they exist, and EU Standard Contractual Clauses (2021/914) where they do not. The DPA at /legal/dpa incorporates the SCCs by reference.
India (DPDP Act 2023)
Toran complies with the Data Personal Data Protection Act 2023 obligations for foreign-domiciled processors. Cross-border transfer is permitted under DPDP Section 16 (no transfer-blacklist published as of this writing). Our Grievance Officer for DPDP matters is Erez Avital — reachable at privacy@toranhq.com (subject line "DPDP grievance" gets fastest response, 7 business days max).
California (CCPA / CPRA), Virginia, Texas, & other state laws
Toran does not sell personal information as defined by CCPA / CPRA. We honor opt-out of any future targeted-advertising processing on a Do-Not-Sell / Do-Not-Share basis; today, the only processing we do is what's strictly necessary to deliver the service.
EU AI Act (effective 2 Aug 2026)
The AI Act's Article 50(1) chatbot-disclosure requirement applies to Toran — our AI Concierge engages visitors conversationally to qualify leads. We ship three disclosure surfaces by default (entry-card subtext, persistent header badge, and override-proof first-bubble disclosure), all enforced in the widget bundle Toran ships and controls, so deployer customization of the welcome message does not strip the AI disclosure. Full stance — including how we handle adjacent articles (4, 5, 6, Annex III), AI sub-processors (Google Gemini), and the careers-page deployment edge case — is at /eu-ai-act. Deployer-specific obligations (privacy notice clause, copy-paste text) at /legal/deployer-notes.
What Toran is and isn't built for
Not built for protected health information (PHI). Toran is not a HIPAA-eligible service. Do not configure your widget to collect PHI from patients (diagnoses, treatment details, medical history). If you operate a medical practice using Toran, configure your widget to gather contact intent only ("I'd like to book an appointment") and route the medical conversation to your own HIPAA-compliant stack. We can't sign a Business Associate Agreement (BAA) at this time.
Toran also isn't built to receive payment-card data (no PCI scope), government identifiers (SSNs, national IDs) as a primary input, or content moderated under specific regulated regimes (KYC / AML). If your use case involves any of those, talk to us at trust@toranhq.com before deploying — there's usually a routing pattern that keeps Toran out of the regulated data flow entirely.
Contact
- Trust & security questions / DPA requests: trust@toranhq.com
- Privacy requests (DSAR / erasure / DPDP grievance): privacy@toranhq.com
- Incident or vulnerability report: security@toranhq.com — please include a description, reproduction steps, and your contact preference.
- General privacy policy: /privacy
Toran is a service operated by Erez Avital, an individual conducting business in Israel as a registered sole proprietor (עוסק מורשה / osek murshe) under the trade name 'Toran'. Mailing address available on
request via trust@toranhq.com.