Planning open enrollment 2026? Get the hub, videos, and assistant live before the window opens.See the OE playbook
Trust Center

Security your team can verify.

Tobie is built for the people who have to sign off: IT, security, and procurement. Here's exactly where we stand. No vague badges.

SOC 2-certified infrastructureSOC 2 Type I (in progress)Encrypted in transit & at restHIPAA: supported under BAAUS-hosted
Data protection

How Tobie protects your data.

A handful of deliberate choices from the model up that keep your benefits data grounded, isolated, and accountable.

Source-grounded by design

Every answer is drawn only from the documents you approve: never invented. Tobie is built on Anthropic's Claude, so your content is never used to train models, and conversation data carries a short 7-day retention window.

Anthropic ClaudeNo training on your data7-day retention

Encryption everywhere

Data is encrypted the moment it moves and the moment it rests. TLS protects every connection in transit; AES-256 protects everything stored at rest.

TLS in transitAES-256 at rest

Tenant isolation

Each customer's data is separated at the database level using Postgres row-level security. Your data is logically yours alone.

Access & oversight

Role-based admin controls who can see and change what. Every answer Tobie gives is logged and reviewable by your team.

Trusted infrastructure

Tobie runs on Vercel, Supabase, Anthropic, and Cloudflare. Every provider in our stack is independently SOC 2-certified.

Our SOC 2 journey

We'll always tell you exactly where we are.

Most vendors show you a badge and stop. We'd rather show you the whole path, because the willingness to be precise is itself the trust signal.

Today

SOC 2-certified infrastructure

Every provider in our stack is SOC 2-certified, and our own controls are in active build against the Trust Services Criteria.

In progress

SOC 2 Type I

Our independent Type I examination is underway, with a target completion in Q3. We can share interim documentation with reviewers under NDA.

The status above is current and maintained. Ask us where we are today. You'll get a straight answer, in writing.

HIPAA & your data

We can support your HIPAA obligations under a signed Business Associate Agreement. Tell us about your PHI requirements and we'll walk through exactly how Tobie handles them.

Talk to us about a BAA
Subprocessors

Every partner that touches your data.

A complete, current list of the subprocessors Tobie relies on, what each one does, and the data it handles.

SubprocessorPurposeData
V Vercel
Application hosting & delivery
Application traffic, request metadata
S Supabase
Database & authentication
Account data, benefits content, logs
A Anthropic
AI assistant (Claude)
Question text, approved source content
C Cloudflare
DNS & edge security
Network metadata, IP addresses
R Reducto
Document extraction
Uploaded benefits documents
R Resend
Transactional email
Email address, message content
T Twilio
SMS notifications
Phone number, message content
Subprocessor list current as of 2026. We notify customers in advance of material changes.
For reviewers

Request our security packet.

The detailed documentation procurement and security teams need: architecture overview, data-flow diagrams, control mappings, and our subprocessor agreements, shared under NDA.

Or reach us directly at security@tobie.team
Get started

Bring your security team along.

Start with a Guide Review, or send your security questionnaire straight to us. The willingness to answer precisely is the point.