Security your team can verify.
Tobie is built for the people who have to sign off: IT, security, and procurement. Here's exactly where we stand. No vague badges.
How Tobie protects your data.
A handful of deliberate choices from the model up that keep your benefits data grounded, isolated, and accountable.
Source-grounded by design
Every answer is drawn only from the documents you approve: never invented. Tobie is built on Anthropic's Claude, so your content is never used to train models, and conversation data carries a short 7-day retention window.
Encryption everywhere
Data is encrypted the moment it moves and the moment it rests. TLS protects every connection in transit; AES-256 protects everything stored at rest.
Tenant isolation
Each customer's data is separated at the database level using Postgres row-level security. Your data is logically yours alone.
Access & oversight
Role-based admin controls who can see and change what. Every answer Tobie gives is logged and reviewable by your team.
Trusted infrastructure
Tobie runs on Vercel, Supabase, Anthropic, and Cloudflare. Every provider in our stack is independently SOC 2-certified.
We'll always tell you exactly where we are.
Most vendors show you a badge and stop. We'd rather show you the whole path, because the willingness to be precise is itself the trust signal.
SOC 2-certified infrastructure
Every provider in our stack is SOC 2-certified, and our own controls are in active build against the Trust Services Criteria.
SOC 2 Type I
Our independent Type I examination is underway, with a target completion in Q3. We can share interim documentation with reviewers under NDA.
SOC 2 Type II
Following Type I, we move into the observation period for Type II, demonstrating our controls operating consistently over time.
The status above is current and maintained. Ask us where we are today. You'll get a straight answer, in writing.
HIPAA & your data
We can support your HIPAA obligations under a signed Business Associate Agreement. Tell us about your PHI requirements and we'll walk through exactly how Tobie handles them.
Every partner that touches your data.
A complete, current list of the subprocessors Tobie relies on, what each one does, and the data it handles.
Request our security packet.
The detailed documentation procurement and security teams need: architecture overview, data-flow diagrams, control mappings, and our subprocessor agreements, shared under NDA.
Bring your security team along.
Start with a Guide Review, or send your security questionnaire straight to us. The willingness to answer precisely is the point.