Trust & Security
Typillar runs an agent harness and product control plane on Cloudflare, and builds and deploys into your own connected accounts. Our data footprint is deliberately small: one isolated Durable Object per project holds its ideas, tickets, and history, and the credentials you connect are encrypted at rest. Report a vulnerability to security@typillar.com.
Controls
- Isolation — one Durable Object per project, with its own embedded storage; no shared store between projects or customers.
- Encryption — TLS 1.2+ in transit. OAuth tokens and model API keys are encrypted at rest (AES-GCM) and used with least privilege.
- Authentication — OAuth (GitHub, Google) and email sign-in for the console; sessions live in short-TTL storage.
- Approval gate — nothing is built or deployed into your account without your explicit approval.
- Auditability — every idea, ticket, build, and deploy is recorded as a per-project history graph you can replay and roll back.
Compliance posture
- SOC 2 Not started
- Typillar's control plane runs on Cloudflare infrastructure, which is independently SOC 2 Type II and ISO 27001 certified. We have not begun an audit of our own application-layer controls and will pursue one as enterprise demand warrants.
- GDPR Supported
- We act as a data processor and sign a Data Processing Addendum on request. Subprocessors are listed below.
- Data residency In your account
- Typillar deploys into your own Cloudflare account, so your applications and their data live wherever your account runs them. Our control-plane metadata (project ideas, tickets, and history — never your end-user data) runs on Cloudflare's global edge.
- HIPAA Not eligible
- We do not sign Business Associate Agreements (BAAs). Do not use Typillar to process protected health information (PHI).
- PCI-DSS Out of scope
- Typillar does not handle cardholder data. When paid seats are enabled, payments will run through a third-party processor so card data never reaches our systems.
Subprocessors
Effective June 30, 2026. We notify account owners of material changes to this list before a new subprocessor begins processing personal data. Email security@typillar.com to subscribe to change notices.
| Subprocessor | Purpose | Data | Location |
|---|---|---|---|
| Cloudflare, Inc. | Control-plane compute, Durable Object storage, KV, usage telemetry | Account metadata, project ideas/tickets/history, encrypted connection credentials | Global edge |
| Your model provider (Cloudflare Workers AI, Anthropic, or OpenAI) | Code generation from your prompts | Your idea and ticket text — processed under your own account and keys | Provider-dependent |
Payment and email processors will be added to this list and disclosed here if and when those features are enabled.
Data handling
We do not sell your data and we do not use it to train machine-learning models. Code generation runs on the model provider you connect, under your own account and keys. Usage telemetry records event identifiers and timing — not your prompt text or generated code.