Trust & Compliance
Where talari.ai (Talari.AI Services, in formation, Poland) stands today — what is already in place, what is being built, and what is on the roadmap. Every commitment is scoped as Live, In progress, or Planned. We will not claim what we cannot evidence.
Why this page exists
Every vertical we build on the talari.ai platform handles sensitive professional data — session notes from therapists, case files from lawyers, patient records from vets. Under the GDPR, much of this is special-category data (Art. 9), with stricter protections than ordinary personal data.
This page tells you, in concrete terms, where data lives, who can touch it, what we will do if something goes wrong, and which commitments are already in place versus on the roadmap.
If anything on this page is unclear, or if you need a copy of our DPA / AVV before signing, contact us at trust@talari.ai.
1. Data location — EU-only, DE primary
| Item | State | Detail |
|---|---|---|
| Primary processing region | In progress | Germany. Hetzner Cloud (Falkenstein / Nuremberg) is the planned primary. Vendor freeze due before the first production account. |
| Secondary / disaster-recovery region | In progress | Germany or France. IONOS (DE) or OVHcloud (FR) under evaluation. EU jurisdiction in either case. |
| Customer-content data centre outside the EU | Never | Architectural commitment, enforced via region-pinning and audit logging. |
| Customer-content data flow to a US sub-processor | Never | See §7 (Schrems II). |
| Marketing / website analytics | In progress | EU-resident, cookie-light analytics only; vendor pin pending. No US analytics for any page that handles authenticated session data. |
Audit trail. Once region-pinning is live, each request that touches sensitive professional data will be logged with the region of every component that handled it. Logs are retained per the retention schedule in our DPA / AVV.
2. Encryption
| Item | State | Detail |
|---|---|---|
| In transit | In progress | TLS 1.3, modern cipher suites only, HSTS preload. End-to-end from client to application tier. |
| At rest — application data | In progress | AES-256 disk-level encryption on all primary and replica storage. |
| At rest — sensitive fields | In progress | Field-level envelope encryption on top of disk-level for any field carrying professional session content. |
| Key management | In progress | Customer-content keys held in a managed KMS pinned to an EU region (Hetzner-EU or IONOS-EU). No key material crosses the EU border. |
| Backups | In progress | Encrypted at rest with the same EU-region key hierarchy. Backups never replicated outside the EU. |
KMS region-locality statement. No customer-content key is ever materialised, wrapped, or used by a service running outside the EU. This is enforced at the IAM and network layers as part of the region-pinning architecture.
3. Audit status
| Item | State | Detail |
|---|---|---|
| ISO 27001 / ISO 27701 | Planned | Decision deferred until SOC 2 readiness completes. We will not claim either standard before certification. |
| SOC 2 Type II | In progress | Audit-firm RFP scheduled for Phase 3 readiness (target 2026-Q3 if the budget gate is open). EU-resident or regulated-industries firm preferred. Report shared on request once issued. |
| Independent penetration test | In progress | Annual external pen test scoped under our security roadmap. Summary letter shareable under NDA. |
We will not display badges for certifications we have not yet earned. When SOC 2 Type II is issued, the audit-firm name, attestation-period, and report-availability path will appear here.
4. Incident response
We follow the GDPR Art. 33 / Art. 34 framework.
| Item | State | Detail |
|---|---|---|
| Notification SLA to controller | In progress | Within 24 hours of confirmed incident, by the channel agreed in the DPA / AVV. This is stricter than Art. 33's 72-hour controller-to-supervisory-authority deadline. |
| Notification path to supervisory authority | In progress | The controller files; we provide the technical breach report needed for the filing. Default targets: BfDI / Berlin LDA (DE), UODO (PL). |
| Tabletop exercise | In progress | First exercise scoped under our security roadmap; documented residual-risk register. |
| Status communication | In progress | Live status page at status.talari.ai — planned to launch with the first production account. |
5. Sub-processor list
Entries marked pending have Art. 28 AVV/DPA drafted and are awaiting signature; entries marked proposed are not yet finalised. No sub-processor is engaged until all onboarding steps in our registry process are complete.
| Sub-processor | Purpose | Region | Status |
|---|---|---|---|
| Hetzner Online GmbH | Primary infrastructure (compute, storage, network) — professional content + metadata | DE (Falkenstein / Nuremberg) | Pending AVV drafted; awaiting signature |
| Hetzner Online GmbH (FI node) | CRM platform hosting (self-hosted EspoCRM) — prospect/controller data only, no professional content | FI (Helsinki) | Pending AVV annex drafted; awaiting signature |
| IONOS SE | Secondary / DR infrastructure | DE | Proposed |
| OVHcloud SAS | Alternative secondary / DR infrastructure | FR | Proposed |
| Mistral AI | EU-hosted LLM API for transcript generation; mandatory "no training on customer data" contractual term + zero-retention side letter | EU | Proposed |
| Anthropic (EU region) | LLM API, second-source — only when EU-region Claude API is generally available | EU | Planned |
| DPO firm (DataGuard or Proliance) | External Data Protection Officer service | EU | Proposed |
| Email / transactional comms | Transactional email for account / outreach lifecycle | EU | Proposed |
| Error monitoring | Application-error telemetry (no professional content payloads) | EU | Proposed |
Registry state: 0 engaged · 2 pending · 5 proposed · 0 terminated.
Notification SLA on changes. We will notify controllers at least 30 days before any new sub-processor begins processing customer-adjacent data, and at least 60 days before any change that affects the data-residency region.
6. Data Protection Officer
| Item | State | Detail |
|---|---|---|
| External DPO appointed | In progress | Procurement of an external DPO firm (DataGuard or Proliance shortlisted). The DPO will be contracted before any production account is onboarded. |
| DPO contact published | In progress | Will be published here as dpo@talari.ai once the firm is contracted. Until then, route requests to trust@talari.ai. |
| DPO registered with supervisory authorities | Planned | DPO firm files registration with BfDI (DE) and UODO (PL) on contract execution. |
We will not assert “we have a DPO” until the contract is executed. This page is updated within 5 business days of execution.
7. DPIA-by-design summary
We do not treat the DPIA as a paperwork exercise filed once and forgotten. The talari.ai platform is built DPIA-first: every architectural decision that touches professional-session content is evaluated against a residual-risk register before merge.
The full DPIA (Art. 35 GDPR) is maintained internally and made available on request under NDA.
Headline findings from the v1 DPIA:
- No high-risk residuals requiring Art. 36 prior consultation with a supervisory authority.
- The single residual above Low is the quality risk that an AI-generated draft might be inaccurate — mitigated by the architectural commitment that the professional is always the author of record: no draft is filed without the professional's explicit review and approval.
- Lawful basis (Art. 6 / Art. 9):controller-side basis is the professional's service relationship and, where applicable, the client's explicit consent (Art. 9(2)(a) / Art. 9(2)(h)). Our processor-side activity is governed solely by the DPA / AVV — we do not process professional content for our own purposes.
- No secondary use.Professional-session content is never used to train, fine-tune, or evaluate any model — neither ours nor a sub-processor's. This is a contractual term with each LLM sub-processor and a hard architectural rule.
8. Schrems II statement
Zero US sub-processors handle raw customer-adjacent content.
This is a categorical commitment, not a best-effort statement.
- All LLM inference on raw professional-session transcripts is performed by an EU-region commercial API under a contract that prohibits training on customer data and prohibits retention beyond the request lifecycle.
- All primary and secondary infrastructure is operated by EU-headquartered providers in EU data centres under EU jurisdiction.
- The few US-headquartered SaaS tools we may use (e.g. internal collaboration / observability) do not receive raw session content and are scoped under appropriate Standard Contractual Clauses with supplementary measures per EDPB Recommendations 01/2020.
- Where a US-headquartered tool offers an EU-data-residency tier, we use that tier in preference to a non-EU one, even at higher cost.
- We monitor adequacy decisions and Schrems-style litigation; if the EU–US Data Privacy Framework is invalidated again, the architectural commitment above means our professional-content data flow is unaffected.
9. Contact
- General trust questions: trust@talari.ai
- Co-build and partnership enquiries: build@talari.ai
- Subject-rights requests (Art. 15–22): trust@talari.ai (will route to
dpo@talari.aionce the DPO firm is contracted) - Security disclosure: security@talari.ai (PGP key published once the security mailbox is provisioned)
- Postal address: pending entity registration in Poland
10. Revision history
| Revision | Date | Change |
|---|---|---|
| v1.1 (draft) | 2026-05-25 | Aligned sub-processor list, DPIA summary, Schrems II statement, and contact section with psychotherapy.talari.ai Trust page v1.1. Same legal entity — same factual commitments. Added §7 DPIA-by-design summary. |
| v1.0 (draft) | 2026-05-25 | First public draft of the talari.ai platform Trust page. Adapted from the psychotherapy.talari.ai Trust page. Pre-incorporation framing — entity in formation in Poland. |