Start free

Security & Trust

Last updated: June 9, 2026

At Tiny Command, protecting the data our customers entrust to us is fundamental to our business. This page describes our security practices, infrastructure, and compliance posture. For privacy details, see our ; for contractual data-protection terms, see our .

Data Encryption

In transit: All data transmitted between you and the Service is encrypted using TLS.

At rest: Customer Data is encrypted at rest using industry-standard encryption provided by our infrastructure and database providers.

Hosting and Infrastructure

The Service is hosted on Amazon Web Services (AWS). Our databases are hosted in two regions: the United States and Europe. For customers with European data-residency requirements, data can be hosted in our European region to support GDPR and UK GDPR compliance. Region assignment is determined by Tiny Command based on customer requirements.

Customer Data benefits from the physical, environmental, and network security controls maintained by AWS across its data centers.

Access Controls

Access to production systems and Customer Data is restricted to authorized personnel on a least-privilege, need-to-know basis.

Access is governed by role-based permissions and is removed promptly when personnel no longer require it.

Within your own account, you are responsible for managing user roles and permissions for your team.

Sub-Processors

We engage third-party sub-processors to provide the Service. Each is bound by data-protection obligations consistent with applicable law. Our Vision and AI Agent features run on self-hosted models operated by Tiny Command; Customer Data processed by those features is not sent to third-party AI providers.

We will provide at least 30 days' notice before authorizing a new sub-processor, and will update this list accordingly.

Data Retention and Deletion

We retain Customer Data for as long as your account is active and as needed to provide the Service.

Upon account termination, Customer Data is available for export for 30 days, after which it is deleted from production systems within 30 days, and purged from backups within 90 days.

You can delete specific records, forms, or documents at any time through the Service.

We honor data-subject access and deletion requests as required under the GDPR, the UK GDPR, the DPDP Act, and applicable U.S. state laws; see the .

Backup and Disaster Recovery

Customer Data is backed up daily, and backups are encrypted.

We rely on the redundancy and availability features of AWS to support recovery and continuity.

Vulnerability Management and Penetration Testing

We apply security patches and dependency updates on a regular basis and monitor for known vulnerabilities in our dependencies and infrastructure.

We engage a third party to perform penetration testing on a quarterly basis.

Incident Response and Breach Notification

We maintain an incident response process to detect, investigate, and respond to security incidents. In the event of a personal-data breach affecting your data, we will notify you without undue delay and within 72 hours of becoming aware, consistent with our obligations under the GDPR, the UK GDPR, the DPDP Act, applicable U.S. state laws, and our DPA.

Compliance and Certifications

SOC 2: SOC 2 certification is currently in progress.

ISO 27001: ISO 27001 certification is currently in progress.

GDPR / UK GDPR: We process personal data in accordance with these regulations and offer a DPA with appropriate transfer mechanisms (Standard Contractual Clauses and the UK International Data Transfer Addendum).

DPDP Act (India): We process personal data consistent with the Digital Personal Data Protection Act, 2023.

U.S. state privacy laws: We support obligations under applicable U.S. state privacy laws (e.g., CCPA/CPRA).

Data Processing Agreement (DPA)

We offer a Data Processing Agreement that governs our processing of personal data on your behalf, including international transfer mechanisms and sub-processor terms. To request a countersigned DPA, contact .

Security Contact and Responsible Disclosure

We welcome reports of security vulnerabilities from researchers and the public.

Report security issues to .

We ask that you give us reasonable time to investigate and remediate before public disclosure, and that you avoid accessing or modifying data that is not yours during testing.

Contact

TinyCommand LLC N Gould St., Sheridan, Wyoming 82801, US Email: