Security & compliance, in plain terms

Data controls — who owns what

Toran sits between you and the visitors on your website. That changes who's responsible for what under GDPR / DPDP / Brazil's LGPD / Mexico's LFPDPPP / state privacy laws:

• You, the Toran customer, are the Data Controller for the visitor / lead data your widget collects. You decide what the widget asks for, how long you keep replies, and who in your team sees what.
• Toran is the Data Processor for that visitor / lead data — we receive it on your behalf, run the AI scoring, dispatch notifications to your channels, and store it so your dashboard shows it. We don't repurpose it.
• Toran is the Data Controller for your own account information (name, email, billing, plan tier). That data is handled per our Privacy Policy.

You can export, delete, or relocate the lead data you own via the dashboard. And here is the line we will not cross: we never read your conversations. We don't sell, rent, or mine your leads — the product gets smarter only from de-identified outcome signals, never the words your visitors typed.

Encryption, access & infrastructure

In transit

All traffic to toranhq.com, app.toranhq.com, and cdn.toranhq.com uses TLS 1.2+ with Google Trust Services certificates auto-renewed ~30 days before expiry. Mixed-content is blocked at the CDN layer. The widget and front-end run on the Cloudflare edge, and every release is immutable: we can roll back to any prior version instantly — a bad deploy is a one-click reversal, not an outage.

At rest

The Toran database (Supabase / PostgreSQL 17, EU-West region) encrypts at rest with AES-256. Object storage (Cloudflare R2) is AES-256. Daily backups are encrypted and retained per the schedule below.

Access controls

• Row-Level Security (RLS) enforced on every table. A customer can only see rows they own, full stop. No "ignore RLS" toggle in production.
• Each site's AI is walled off from every other. A customer's AI concierge only ever reads that site's own settings and trained answers and replies in text — it has no database access, so no prompt, however it's crafted, can make it reach or leak another customer's data. Cross-tenant isolation is architectural — it can't be talked around.
• Multi-factor authentication required on all admin routes. Toran's internal admin dashboard requires AAL2 (TOTP) before rendering. No password-only admin access exists.
• Customer dashboard two-factor authentication. Enroll TOTP from your Profile page. Once enrolled, the challenge fires at every sign-in — email/password and OAuth (Google) sessions both — until you reach AAL2.
• Production database access is logged. Audit logs are retained for forensics. Direct DB queries are reviewed.

Data residency

Primary data store is hosted in the EU (Supabase eu-west region, currently France). Sub-processors (Cloudflare, Resend, Google / Gemini, Paddle, Sentry) operate globally — see the full sub-processor list at /legal/subprocessors for region and purpose per vendor.

Retention

• Chat messages: 30 days, then automatically purged. You can shorten this in your widget settings; you can't extend it without an Enterprise contract.
• Leads & lead enrichment: kept while your account is active. On account cancelation, deleted within 30 days unless you export first.
• Notification logs: 90 days for debugging silent-failure paths.
• Account deletion: initiated from Profile → Delete Account. 7-day cooldown for accidental deletes, then full erasure within 30 days. Point-in-time backups expire ~14 days after deletion and are not restored on request.

Sub-processors

Toran uses a small, deliberate set of sub-processors. Each one has a single job. None of them get all the data — most see only the slice they need for their function.

The full list — including legal name, purpose, regions of operation, and the data categories each one touches — is at /legal/subprocessors. We give 30 days advance notice before adding or replacing a sub-processor; you can subscribe to changes by emailing trust@toranhq.com.

Data Processing Agreement (DPA)

Toran's DPA covers GDPR Article 28 obligations (technical & organizational measures, sub-processor approval, audit rights, breach response) and incorporates the EU Standard Contractual Clauses for any data transfer that involves a US sub-processor.

The current public draft is at /legal/dpa. For a counter-signed copy on your company letterhead — including the Annex I processing details for your specific use case — email trust@toranhq.com.

Incident response & breach notification

If we suspect or confirm a personal-data breach involving your data, we will notify you within 24 hours of confirmed detection — well inside the GDPR Article 33 72-hour controller-to-regulator window so you have time to discharge your own obligations.

Our notification will include:

• The categories and approximate volume of data records affected
• Likely consequences of the breach (in plain language)
• Measures we've taken or are taking to address it
• A named contact for follow-up questions

Internally, Toran's incident-response runbook covers triage, containment, eradication, recovery, and a post-mortem with action items. We test the runbook against a hypothetical incident at least once a year.

Erasure, DSAR & data export

You can exercise data-subject rights — access, correction, deletion, portability — for your own account, and on behalf of your customers (since you're the Controller for their data).

• Your own account: Profile → Export Data exports your settings, leads, and chat history as JSON. Profile → Delete Account starts the 7-day cooldown then permanently erases your data.
• On behalf of a visitor / customer: via dashboard tools, or by emailing privacy@toranhq.com — we will action within 30 days (often within 5 business days for straightforward requests).
• Point-in-time backups: we don't restore deleted records on request; backup snapshots expire ~14 days after deletion as part of normal rotation. This is a deliberate design choice to make "right to erasure" meaningful.

Certifications & roadmap

SOC 2 Type 1: targeted Q1 2027. SOC 2 Type 2: Q3 2027. ISO 27001: tracking for 2027 — final decision will follow buyer demand.

We're a solo-founder operation at launch, and we'd rather show you the controls than sell you a badge. A real SOC 2 audit costs $20-30K and takes ~3 months — we will commit to the audit when we've crossed the threshold where one deal would pay for it, not before. Everything a SOC 2 audit would attest to is documented on this page today, and if your procurement team needs more, we'll share our pre-audit documentation under NDA.

Regional notes

GDPR (EU / UK / EEA)

Toran's data store is in the EU (Supabase eu-west / France). For sub-processors outside the EEA, we rely on the European Commission's adequacy decisions where they exist, and EU Standard Contractual Clauses (2021/914) where they do not. The DPA at /legal/dpa incorporates the SCCs by reference.

India (DPDP Act 2023)

Toran complies with the Data Personal Data Protection Act 2023 obligations for foreign-domiciled processors. Cross-border transfer is permitted under DPDP Section 16 (no transfer-blacklist published as of this writing). Our Grievance Officer for DPDP matters is Erez Avital — reachable at privacy@toranhq.com (subject line "DPDP grievance" gets fastest response, 7 business days max).

Brazil (LGPD) & Mexico (LFPDPPP)

Brazil's LGPD and Mexico's LFPDPPP (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) are built on the same principles our GDPR posture operationalizes — transparency, purpose limitation, data minimization, and enforceable data-subject rights. We honor access, rectification, cancellation, and opposition (ARCO) requests from Mexican data subjects, and the equivalent LGPD rights for Brazilian data subjects, via privacy@toranhq.com. The processor commitments in our DPA apply to customers in both markets. We do not claim a formal certification or registration under either regime — the commitment is the posture described on this page.

California (CCPA / CPRA), Virginia, Texas, & other state laws

Toran does not sell personal information as defined by CCPA / CPRA. We honor opt-out of any future targeted-advertising processing on a Do-Not-Sell / Do-Not-Share basis; today, the only processing we do is what's strictly necessary to deliver the service.

EU AI Act (effective 2 Aug 2026)

The AI Act's Article 50(1) chatbot-disclosure requirement applies to Toran — our AI Concierge engages visitors conversationally to qualify leads. We ship three disclosure surfaces by default (entry-card subtext, persistent header badge, and override-proof first-bubble disclosure), all enforced in the widget bundle Toran ships and controls, so deployer customization of the welcome message does not strip the AI disclosure. Full stance — including how we handle adjacent articles (4, 5, 6, Annex III), AI sub-processors (Google Gemini), and the careers-page deployment edge case — is at /eu-ai-act. Deployer-specific obligations (privacy notice clause, copy-paste text) at /legal/deployer-notes.

What Toran is and isn't built for

We store no payment-card data. Paddle is our Merchant of Record, so your card details — and your customers' — never touch Toran's systems (no PCI scope). Toran also isn't built to receive government identifiers (SSNs, national IDs) as a primary input, or content moderated under specific regulated regimes (KYC / AML). If your use case involves any of those, talk to us at trust@toranhq.com before deploying — there's usually a routing pattern that keeps Toran out of the regulated data flow entirely.

Support commitments

Procurement forms ask for a stated support commitment, so here is ours — the same first-response targets we hold ourselves to internally. Support is founder-direct: the person who answers is the person who built the product, not a ticket queue three layers away.

• Critical — service down, or a security / data issue: first response within 1 hour during business hours.
• Major — a key feature broken with no workaround: first response within 4 hours during business hours.
• Degraded — an issue with a workaround: first response within 1 business day.
• Questions, how-to, billing: first response within 2 business days.

Business hours: 09:00–18:00 UTC+2, Monday to Friday. Reports that arrive outside that window start the clock at the next business-hours opening — though critical issues usually get a faster-than-promised reply.

Honest scope: these are first-response targets, not resolution guarantees — resolution time depends on the issue. They apply to the Pro and Business tiers; the Free tier gets best-effort support against the same queue. Enterprise customers get a custom SLA in a separate Service Agreement. We don't publish an uptime-percentage SLA today, and we won't invent one for a form — incident handling and breach notification are covered under Incident response above.

Reach support at support@toranhq.com.

Contact

• Trust & security questions / DPA requests: trust@toranhq.com
• Privacy requests (DSAR / erasure / DPDP grievance): privacy@toranhq.com
• Incident or vulnerability report: security@toranhq.com — please include a description, reproduction steps, and your contact preference.
• General privacy policy: /privacy

Toran is a service operated by Erez Avital, an individual conducting business in Israel as a registered sole proprietor (עוסק מורשה / osek murshe) under the trade name 'Toran'. Mailing address available on request via trust@toranhq.com.