TRUST CENTER

Certifications roadmap, not certificates yet

Tanqory is not currently certified against any external information-security or privacy framework. The following frameworks are tracked on our roadmap, with target windows defined by our internal security and compliance program and reviewed quarterly.

Email the Trust team View subprocessors

Frameworks on the roadmap

Each entry mirrors our internal `04-security-controls.yaml` source of truth. Status, target windows, audit firm (when engaged), and scope notes update on a quarterly cycle.

Framework	Status	Target window	Audit firm	Notes
SOC 2 Type 1	Roadmap	FY2026 H2	Not engaged	—
SOC 2 Type 2	Roadmap	FY2027 (12-month observation post Type 1)	—	—
ISO/IEC 27001	Roadmap	FY2027	Not engaged	Several legal docs claim 'ISO 27001-aligned'. This is acceptable language ONLY if there is an internal ISMS doc + control mapping (currently partial).
ISO/IEC 27701	Roadmap	—	—	Privacy extension of 27001; depends on 27001 first.
ISO/IEC 42001 (AI management)	Roadmap	FY2027	—	AI management system. AI-Act doc claims compliance — must downgrade to 'aligned' until ISMS exists. Public Trust Center wording: 'Tanqory is not certified against ISO/IEC 42001.'
PCI-DSS (SAQ-A)	Self-assessment in progress	—	—	SAQ-A (Stripe.js client-side tokenization; no cardholder data in Tanqory infra)Not yet obtained from Stripe Connect Platform program

Source: internal security controls inventory, effective 2026-05-26 (v1). Reviewed quarterly.

What this means for you

Today, Tanqory's security posture is documented in this Trust Center and in the underlying compliance dataset rather than via a third-party attestation. Internally, the engineering team maintains a SOC 2 Type II control matrix mapping each Common Criteria (CC1 through CC7+) to its implementation and evidence references; a Disaster Recovery runbook with RTO 1 hour / RPO 1 hour / MTTR 30 minutes targets; and a PCI-DSS SAQ-A self-assessment based on Stripe.js client-side tokenization (no cardholder data on Tanqory infrastructure). Live drills against the DR runbook are scheduled, not yet executed. Enterprise prospects can request the control matrix, gap assessment, and roadmap walkthrough under NDA. Once external attestations land, this page becomes the canonical place where customers, auditors, and partners verify status and download reports. Certificates and reports will be linked here when issued.

Common questions about our certifications

Why isn't Tanqory certified yet?

Tanqory's external audit program is sequenced behind our internal control baseline. We are running a structured self-assessment first so that an external auditor walks into a mature control set rather than an in-flight one. Target windows on this page reflect when we expect attestations to be in hand, not when audits start. The certification roadmap is owned by the Security and Compliance team (security@tanqory.com).

Can I get a security questionnaire response today?

Yes. Enterprise customers and procurement teams can request a completed CAIQ / SIG-Lite / vendor questionnaire from trust@tanqory.com. We respond under NDA and reference the same internal source of truth that drives this Trust Center.

Will reports be available here once issued?

Yes. SOC 2 reports and ISO certificates will be linked from this page when issued, behind an authenticated request flow where the framework requires it (for example, SOC 2 Type 2 reports under NDA).

What is the PCI-DSS scope?

Tanqory does not store, process, or transmit cardholder data within Tanqory-controlled systems for the standard merchant flow. Card data is tokenized by our PCI-validated payment service providers. Our applicable scope is SAQ-A, which we self-attest annually and reconcile against acquirer Attestations of Compliance.

What is ISO 42001 and why is it on the roadmap?

ISO/IEC 42001 is the international standard for AI management systems. Because Tanqory uses AI features in commerce workflows (content generation, segmentation suggestions, etc.), we track ISO 42001 alongside the security and privacy frameworks rather than treating AI compliance as a separate program. Tanqory is not certified against ISO/IEC 42001; external certification is on the roadmap (target window: FY2027). Owner: Data Protection Officer with the AI lead and the Compliance team.

Need a security review or DPA?

Enterprise teams can request our security questionnaire, current DPA template, and a roadmap briefing from our Trust team.

Email the Trust team