Trust Center
Where every security and compliance claim is documented.
TexAu handles outbound and CRM data for thousands of teams. We treat that responsibility like infrastructure, not marketing. This page lists every certification, control, vendor, and data-handling commitment in one place — with dates, with caveats, and with the contact paths to verify.
GDPR · CCPA compliant. SOC 2 Type II on track for Q3 2026 (as of May 2026).
Subprocessor list, encryption posture, incident response, and data subject rights — all documented below with dates, caveats, and contact paths to verify every claim.
Status
Where we are today.
Certifications and compliance status.
| Standard | Status | Notes |
|---|---|---|
| GDPR | Compliant | Data Processing Addendum available on request. EU representative on file. |
| CCPA | Compliant | California consumer rights honored via in-app and email channels. |
| SOC 2 Type II | Roadmap | On track for Q3 2026 (status as of May 2026). Auditor engagement in progress; bridge letters available to enterprise prospects under NDA. |
| ISO 27001 | In Progress | Scoping phase. Controls mapping in progress. |
| HIPAA | Not Applicable | TexAu does not currently process Protected Health Information. Healthcare buyers should contact [email protected]. |
| PCI DSS | Not Applicable | TexAu does not store or process payment card data directly. Payments are tokenized via Stripe. |
| DPF (Data Privacy Framework) | In Progress | EU-US data transfer mechanism — review in progress. |
How the system is built.
Security architecture.
Encryption in transit
TLS 1.2+ on every connection, public-internet and internal. Certificates managed via AWS Certificate Manager, rotated automatically.
Encryption at rest
Customer data and credentials encrypted at rest with AES-256. Database encryption keys managed via AWS KMS. Secrets rotated on a defined schedule.
Tenant isolation
Workspaces are logically isolated at the database level. Cross-tenant data access is prevented at the query layer; verified by penetration tests.
Network and infrastructure
Hosted on AWS in us-east-1 / eu-west-1. Production access requires hardware-key MFA. Database access is audit-logged. Secrets managed via AWS Secrets Manager.
Application security
Static and dynamic security testing in CI. Quarterly third-party penetration tests. Dependency vulnerability scanning. Bug bounty program (by invitation).
What happens to data flowing through TexAu.
Customer data
Lists, tables, enriched results, prompts, scoring models, CRM mappings — all stored only in your workspace. We do not use customer data to train models. BYOK isolates LLM calls outside our infrastructure entirely.
Enrichment data
When you call the waterfall, we route the request through one or more upstream enrichment vendors. Vendor responses are stored in your workspace. We retain raw provider responses for 90 days for dedup, retries, and audit logs.
Subject rights (GDPR / CCPA)
Data subject requests (access, deletion, correction, export) are handled within 30 days for GDPR / 45 days for CCPA. Submit at [email protected].
Every vendor that can touch your data.
Subprocessors.
| Subprocessor | Purpose | Data type | Region |
|---|---|---|---|
| AWS | Application hosting and storage | All customer data | us-east-1, eu-west-1 |
| Stripe | Payment processing | Billing data only (tokenized) | US |
| Resend | Transactional email | User email addresses, account events | US |
| Sentry | Error monitoring | Application logs (no PII payloads) | US |
| Anthropic / OpenAI / Google | AI column processing (TexAu-credit mode only) | AI column input/output | US |
| Hunter, Apollo, RocketReach, Snov, Datagma, ContactOut, Dropcontact, Clearbit, Lusha, ZoomInfo, NeverBounce, ZeroBounce | Enrichment cascade | Per-request enrichment inputs | Mixed |
| HubSpot, Salesforce, Pipedrive, Zoho, GoHighLevel | CRM connectors (only for customers using these CRMs) | Per-record sync data | US / region of CRM |
A complete, signed subprocessor list is included in our standard DPA. Updates are versioned and notified to enterprise customers under DPA.
What we'll send you.
Compliance documents.
Data Processing Addendum
GDPR-compliant DPA. SCCs included for international transfers. Request: [email protected].
Security questionnaire
Pre-filled CAIQ-Lite and SIG-Lite. Custom questionnaires answered within 5 business days. Request: [email protected].
Pen test reports
Most recent third-party penetration test summary available under NDA. Request: [email protected].
SOC 2 evidence
Bridge letters available under NDA for enterprise prospects in active evaluation.
What we don't do for you.
Customer responsibilities.
Outbound compliance is yours
TexAu provides enrichment, automation, and CRM rails. The cold emails you send and the regulatory regimes those emails fall under (CAN-SPAM, GDPR Article 6/22, regional consent rules) are your responsibility.
Account credentials
Each user's password and 2FA token are theirs to manage. We cannot retroactively undo actions taken with valid credentials. Use SSO + MFA on Enterprise.
CRM data accuracy
We sync data into your CRM with the conflict policy you configure. The cleanliness of the resulting CRM state depends on your mapping decisions. We provide audit logs and dry-run mode.
What happens when something goes wrong.
Incident response.
Detection
Production systems are monitored 24/7. Anomalies trigger paging to on-call engineers within minutes. Customer-impacting incidents tracked publicly at status.texau.com.
Notification
Security incidents affecting customer data are notified to affected customers within 72 hours for GDPR-relevant incidents, with an initial summary, scope, and remediation plan.
Post-incident
Every customer-impacting incident generates a public post-mortem on the status page within 7–14 days post-resolution. We name what failed, what we did, and what we changed.
FAQ
What enterprise security teams ask most.
- Where is data stored?
- Primary region us-east-1, with EU customers routed via eu-west-1 where applicable. EU-only data residency on the Enterprise roadmap.
- Do you train models on customer data?
- No. Customer inputs to AI columns and Co-Pilot are not retained for model training. BYOK isolates LLM calls outside TexAu infrastructure entirely.
- Do you have SSO?
- Yes. SAML and OIDC available on Enterprise, configurable via WorkOS.
- Do you support audit logs?
- Workspace audit logs available on Scale and Enterprise. Logs include actor, action, timestamp, and affected entity. Exportable as JSON.
- Do you have a vulnerability disclosure policy?
- Yes. Submit to [email protected] with details and a proof-of-concept where applicable. We acknowledge within 2 business days.
- What's your data retention policy?
- Customer data is retained while your account is active. Account deletion triggers deletion of customer data within 30 days, excluding data we are legally required to retain (billing records, etc.).
- Can I export my data before deleting my account?
- Yes. Export tools are in account settings. Format: CSV for tables, JSON for templates and audit logs. No exit fee.
- Are you covered by cyber insurance?
- Yes. Coverage details available to enterprise customers under NDA.
- Do you sign BAAs?
- Not currently. HIPAA support is on the roadmap. Healthcare customers should contact [email protected] to discuss timing.
- Where can I find your terms and privacy policy?
- Linked in the footer of every page: /terms-and-conditions, /privacy-policy, /payments-policy.
Real email addresses.
Contact.
- Security questions, vulnerability reports: [email protected]
- Privacy / DPA / data subject requests: [email protected]
- General trust / compliance inquiries: [email protected]
PGP key available on request.