Open enrollment opens Nov 4. Get your team ready with a guided rollout.Plan your season

Trust Center

Security your team can verify.

Tobie is built for the people who have to sign off: IT, security, and procurement. Here's exactly where we stand. No vague badges.

SOC 2-certified infrastructureSOC 2 Type I (in progress)Encrypted in transit & at restHIPAA: supported under BAAUS-hosted

Data protection

How Tobie protects your data.

A handful of deliberate choices from the model up that keep your benefits data grounded, isolated, and accountable.

Source-grounded by design

Every answer is drawn only from the documents you approve: never invented. Tobie is built on Anthropic's Claude, so your content is never used to train models, and conversation data carries a short 7-day retention window.

Anthropic ClaudeNo training on your data7-day retention

Encryption everywhere

Data is encrypted the moment it moves and the moment it rests. TLS protects every connection in transit; AES-256 protects everything stored at rest.

TLS in transitAES-256 at rest

Tenant isolation

Each customer's data is separated at the database level using Postgres row-level security. Your data is logically yours alone.

Access & oversight

Role-based admin controls who can see and change what. Every answer Tobie gives is logged and reviewable by your team.

Trusted infrastructure

Tobie runs on Vercel, Supabase, Anthropic, and Cloudflare. Every provider in our stack is independently SOC 2-certified.

Our SOC 2 journey

We'll always tell you exactly where we are.

Most vendors show you a badge and stop. We'd rather show you the whole path, because the willingness to be precise is itself the trust signal.

Today

SOC 2-certified infrastructure

Every provider in our stack is SOC 2-certified, and our own controls are in active build against the Trust Services Criteria.

In progress

SOC 2 Type I

Our independent Type I examination is underway, with a target completion in Q3. We can share interim documentation with reviewers under NDA.

SOC 2 Type II

Following Type I, we move into the observation period for Type II, demonstrating our controls operating consistently over time.

The status above is current and maintained. Ask us where we are today. You'll get a straight answer, in writing.

HIPAA & your data

We can support your HIPAA obligations under a signed Business Associate Agreement. Tell us about your PHI requirements and we'll walk through exactly how Tobie handles them.

Talk to us about a BAA

Subprocessors

Every partner that touches your data.

A complete, current list of the subprocessors Tobie relies on, what each one does, and the data it handles.

SubprocessorPurposeData

V Vercel

Application hosting & delivery

Application traffic, request metadata

S Supabase

Database & authentication

Account data, benefits content, logs

A Anthropic

AI assistant (Claude)

Question text, approved source content

C Cloudflare

DNS & edge security

Network metadata, IP addresses

R Reducto

Document extraction

Uploaded benefits documents

R Resend

Transactional email

Email address, message content

T Twilio

SMS notifications

Phone number, message content

Subprocessor list current as of 2026. We notify customers in advance of material changes.

For reviewers

Request our security packet.

The detailed documentation procurement and security teams need: architecture overview, data-flow diagrams, control mappings, and our subprocessor agreements, shared under NDA.

Or reach us directly at security@tobie.team

Request the packet Book a security call

Get started

Bring the human back to HR.

Start with a Guide Review. In a few weeks, your people get answers, and your team gets its time back.

First Steps Request a Guide Review