How TapPass protects your data, our security and compliance posture, and every legal document in one place. Built in the EU, for AI you can put into production with confidence.
At TapPass, trust is built into everything we do. From our EU infrastructure to how we handle every action an AI takes, the platform is designed to meet a high bar for security, data protection and compliance. This trust center gives you direct access to the policies, practices and safeguards that protect your data, together with every legal document in one place. We run our own operations on TapPass every day, and extend the same protection to you.
"AI that takes action deserves the same accountability we expect from people. We built TapPass so every agent stays under your rules, on the record, and in the EU. Trust is earned through transparency and rigorous practice, and by running our own AI under TapPass, every single day."
The agreements and notices that govern your use of TapPass.
The agreement that governs access to and use of the TapPass platform.
ReadWhat personal data we process, why, how long we keep it, and your rights under the GDPR.
ReadThe cookies we use, what they do, and how to manage your preferences.
ReadCompany identification and legal notices, as required under Belgian law.
ReadArticle 28 GDPR terms for customers whose data we process, including security measures and sub-processors.
ReadHow we protect your data and every action your agents take, by default.
Hosted on Google Cloud in Belgium (europe-west1). Your data stays in the European Union, end to end.
TLS in transit and AES-256 at rest. Secrets and model keys are sealed with envelope encryption in Cloud KMS, scoped per organisation.
Every organisation's data is isolated at the database layer with row-level security, so one customer can never reach another's.
Every action an agent takes is written to a hash-chained, append-only audit trail you can verify end to end.
Access to production is role-based and least-privilege, with multi-factor authentication on administrative accounts and periodic access reviews.
Changes go through peer review, automated dependency and security scanning, and CI checks before they reach production.
Keeping the service available, and your data recoverable.
TapPass runs on managed, redundant cloud infrastructure in the EU. The production database is backed up automatically every day, with point-in-time recovery, and recovery is tested periodically. We maintain documented business-continuity, disaster-recovery and incident-response plans, and publish live uptime and incident history on our status page.
TapPass is built and hosted in the European Union. For the data your agents send through the platform, you are the controller and TapPass acts as a processor on your instructions, under a Data Processing Agreement. For your account and the data you give us directly, such as billing and contact details, TapPass is the controller.
Your data stays yours. We process it to provide and secure the service, and we do not sell it. Where we rely on subprocessors, they are listed on our trust portal and bound by equivalent obligations.
For the full detail, including legal bases, retention periods, international transfers and how to exercise your rights, see the Privacy Policy. Data processing terms for customers are set out in our Data Processing Agreement; a signed counterpart is available on request via dpo@tappass.ai.
The third parties that may process data to help us run TapPass. Each link opens that provider's data-processing terms in a new tab.
We give advance notice before adding a new subprocessor. Tools we use to run our own business (for example code hosting, CRM and monitoring) process our data, not the data you put into TapPass, and are described in our Privacy Policy.
Some documents we share on request, usually under a mutual NDA. We respond quickly.
The frameworks TapPass is built around, and the programme behind them.
TapPass is designed around the EU's data-protection and AI rules. We maintain a Record of Processing Activities, run Data Protection Impact Assessments for higher-risk processing, operate a documented personal-data breach procedure with 72-hour notification, and make a Data Processing Agreement available to every customer. We never use your data to train AI models.
Whether you need a signed DPA, a security review or a specific document for procurement, we are quick to respond.