Trust & Security
Our security posture, data handling, and compliance roadmap — stated honestly.
Effective: July 1, 2026
Enterprise buyers deserve the truth, not a wall of badges. Below is what we have in place today, what we're actively building, and what we can provide under a written agreement. If something you need isn't here, ask us.
1. What we have today
- Encryption in transit and at rest. Traffic is served over TLS; data is encrypted at rest by our infrastructure providers.
- Least-privilege data access. Row-level security policies scope data access at the database, not just in the application, and are enforced on every read and write.
- Audit trail. Meaningful actions are recorded to an append-only activity log for accountability and review.
- Reputable infrastructure. We build on established cloud providers (see our Subprocessors list). Card payments are handled by our PCI-compliant payment processor — we do not store full card numbers.
- Human-in-the-loop AI. Our AI assistant (Terra) supports our team and users; consequential decisions are reviewed by a person, and AI suggestions are logged.
2. What we're working toward
We are pre-scale and building our formal compliance program deliberately. We would rather tell you exactly where we are than display a badge we haven't earned.
- SOC 2. We are working toward a SOC 2 examination. We do not currently hold a SOC 2 report; we will share our status and timeline with prospective enterprise customers on request.
- HIPAA. Where we handle protected health information on behalf of a covered entity, we operate as a Business Associate and will enter into a Business Associate Agreement. Our formal HIPAA program (risk analysis, written policies, workforce training, vendor BAAs) is in progress. See our HIPAA posture note below.
- GDPR / UK GDPR. We support Standard Contractual Clauses for international transfers and offer a Data Processing Addendum to business customers (see DPA).
- Independent testing. Third-party penetration testing and a coordinated vulnerability-disclosure process are planned.
3. HIPAA posture (in progress)
Tourist SOS coordinates emergency medical services and, in doing so, may handle health information. Where we process protected health information on behalf of a HIPAA covered entity, we act as a Business Associate and will sign a Business Associate Agreement governing that relationship. We are not claiming to be certified “HIPAA compliant” (no such certification exists); we are building and documenting our safeguards to the HIPAA Security and Privacy Rules. If your organization requires a BAA, contact security@tourist-sos.com.
4. Data handling & residency
Our primary data is hosted with our cloud providers in the United States. For customers with data-residency requirements (for example, EU hosting), we can discuss options under a written agreement.
What we collect and how we use it is described in our Privacy Policy. The third parties that process data on our behalf are listed on our Subprocessors page. Data-subject and privacy requests go to privacy@tourist-sos.com.
5. Available under agreement
- Mutual NDA and Data Processing Addendum.
- Business Associate Agreement (HIPAA), where applicable.
- Our current subprocessor list and security-questionnaire responses.
- Single sign-on (SAML / OIDC) for enterprise deployments.
- Evidence of professional and cyber insurance.
6. Report a vulnerability
We welcome good-faith security research. If you believe you've found a vulnerability, email security@tourist-sos.com. We aim to acknowledge reports promptly and will not pursue researchers who act in good faith, avoid privacy violations, and give us reasonable time to remediate.
7. Contact
Security questions: security@tourist-sos.com. Procurement, questionnaires, and agreements: trust@tourist-sos.com.
This page reflects our posture as of July 1, 2026 and will be updated as our program matures. It is a good-faith description, not a warranty or a certification.