SECURITY & TRUST

How we handle your data.

Tymr reads your team's activity from Jira, GitHub, calendars, and chat. We treat that data with the seriousness CFOs and security teams expect. Here's exactly what we do and don't do.

Compliance & certifications

SOC 2 Type I IN PROGRESS

Type I report targeted for Q3 2026 via a managed-compliance vendor (Drata / Vanta path). Type II observation window begins immediately after. Customers and prospects can request interim security questionnaires, vendor-risk packets, and policy documents.

GDPR & CCPA READY

We honor data subject access, deletion, and portability requests. EU customers can sign a Standard Contractual Clauses (SCC) addendum to our DPA.

HIPAA NOT YET

Tymr is not HIPAA-compliant today. We don't process PHI by design — we track software development activity, not clinical workflows. BAA available on Enterprise roadmap.

DPA on request READY

Our Data Processing Addendum is ready to sign. Email security@tymrlogic.com and we'll send it within one business day.

Infrastructure

Hosting

Supabase (Postgres + Auth + Storage) running on AWS us-east-1 by default. Enterprise customers can request EU (Supabase's eu-central-1) data residency.

Encryption

TLS 1.2+ in transit. AES-256 at rest (managed by AWS KMS via Supabase). OAuth tokens for integrations are encrypted with a separate, rotating key.

Tenant isolation

Every table is partitioned by org_id with Postgres row-level security (RLS) policies. One org cannot read another org's data even if application-level checks failed.

Backups & recovery

Continuous WAL-based backups with 7-day point-in-time recovery on Growth, 30 days on Enterprise. Backups encrypted and stored in a separate AWS account.

Access & authentication

  • Your users — Email + password today. SAML SSO (Okta, Azure AD, Google Workspace) and SCIM user provisioning on the Enterprise tier and coming to Growth in 2026 Q3.
  • Our team — All Tymr employees use SSO with hardware MFA. Production access is audit-logged, least-privilege, and scoped per-engineer.
  • Integration tokens — OAuth refresh tokens are stored encrypted, scoped to the minimum permissions required (we request read-only where possible). Jira, GitHub, Google, and Microsoft integrations never request write access to your data.

What we track — and what we don't

Tymr ingests metadata about your team's work activity. We deliberately avoid content wherever possible:

We read

  • Calendar event titles, durations, attendee counts
  • Jira issue keys, types, status transitions
  • GitHub commit/PR metadata (SHA, author, files changed — not diffs by default)
  • ServiceNow / PagerDuty incident metadata
  • Slack channel membership + message counts (not content)

We don't read

  • Email content or attachments
  • Slack DMs or message bodies
  • GitHub code diffs (unless explicitly enabled for capitalization auditing)
  • Jira comment bodies (unless explicitly enabled)
  • Video call recordings or transcripts

Admins can further restrict integrations via the Integration Activity Config UI — turn off any source or specific activity type per org.

Audit logs

Tymr writes an append-only audit log for every admin action: integration connect/disconnect, user role change, data export, classification rule edit. Enterprise customers get the log streamed to their SIEM (Splunk, Datadog, or S3 bucket) via webhook. We never mutate historical events — corrections are expressed as new correction-kind events that reference the original, so the trail is reproducible for an auditor years later.

Subprocessors

We use a small number of vetted vendors to run Tymr. Each has their own SOC 2 or equivalent certification:

  • Supabase — managed Postgres, auth, storage (AWS us-east-1)
  • AWS — underlying cloud for Supabase + edge functions
  • Cloudflare — DNS, DDoS mitigation, static asset CDN
  • Vercel — marketing site hosting (this page)
  • Resend — transactional email
  • Anthropic / OpenAI — LLM features (optional, disabled by default; org admins opt in)

We notify customers of any material subprocessor change with 30 days' notice via email and in-app banner.

Vulnerability disclosure

Found something? We want to hear about it. Email security@tymrlogic.com with details and reproduction steps. We respond within one business day and credit all valid reporters (with permission) on this page once the SOC 2 audit is complete.

We don't yet run a paid bounty program, but valid reporters will receive equivalent recognition.

Data deletion

Customers can export and delete their data at any time from Settings → Org → Delete organization. We remove all org-scoped records from primary storage within 7 days and from backups within 30 days. Email security@tymrlogic.com for a written confirmation of deletion.

Email security@tymrlogic.com Read privacy policy →