TomPilot was built governance-first, not bolted on afterwards. The data architecture is designed against GDPR, ISO 27001 and ISO 42001, and written up for external DPO review.
Full data-subject rights, self-service export & erasure.
Information security management, isolation & audit.
Ai management, consent, cost & prompt governance.
Data in eu-west-2, encrypted, seven-year retention.
Architecture designed to these standards. Formal certification is in progress; documentation available under NDA.
Every table carries row-level security scoped to your workspace, with a second tier of isolation between users inside it. Each workspace gets its own Slack token, its own Anthropic key and its own agent process, so credentials and conversations are never pooled.
Self-service download of everything held about a person, generated on demand as JSON or CSV over a registry of every PII field.
Full erasure across every linked record, soft-delete with restore, or a consent-gated ownership transfer. Customer-initiated and operator-run.
Withdraw Ai consent per user and it's enforced before any model is called, so a refused user incurs no processing and no cost.
Append-only, trigger-enforced, 30+ action types across both runtimes. Admins can view it in-app.
TOTP with backup codes, tenant-scoped enforcement, sudo mode, login rate limiting, 16-char passwords.
A documented retention schedule with daily enforcers for seven-year and two-year classes, plus heartbeat alerting.
Operator, admin and member roles, with time-boxed, revocable operator debug grants.
Every model call is budget-capped, costed and version-hashed with a full audit trail, the ISO 42001 spine.
Encrypted at rest and in transit, hosted in London, passwords hashed with bcrypt, never readable by us.
We'll send the security pack, the GDPR architecture write-up and a DPA. Real answers from the people who built it.