Data security is critical to everything we do at TomBot AI


We'd like to welcome you to our Security Page, and let you know that we take Security and Data Protection very serious at TomBot AI.

We are in the business of automating intelligence and Data, and the prerequisite for being a great company that can use Data to do great things, is protecting your Data.

As you continue to learn more about TomBot AI we recommend you also review our Terms of Use and Privacy Policy.

Best Practices

Incident Response Plan
  • We have implemented a formal procedure for security events and have educated all our staff on our policies.
  • When security events are detected they are escalated to our emergency alias, teams are paged, notified and assembled to rapidly address the event.
  • After a security event is fixed we write up a post-mortem analysis.
  • The analysis is reviewed in person, distributed across the company and includes action items that will make the detection and prevention of a similar event easier in the future.
Build Process Automation
  • We have functioning, frequently used automation in place so that we can safely and reliably rollout changes to both our application and operating platform within minutes.
  • We typically deploy code dozens of times a day, so we have high confidence that we can get a security fix out quickly when required.


  • All of our services run in the cloud. TomBot AI does not run our own routers, load balancers, DNS servers, or physical servers.
  • All of our services and data are hosted in Amazon Web Services (AWS) facilities in the USA, and we are in the process of consolidating all services and data there. TomBot AI services have been built with disaster recovery in mind.
  • All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network.
  • TomBot AI uses MongoDB’s MMS backup solution for datastores that contain customer data.
  • All of TomBot AI's application and database storage is safely contained within Amazon Web Services’ (AWS) infrastructure, which is accredited by ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), and PCI Level 1. More information about AWS security can be found here.

Service Levels

We have uptime of 99.9% or higher. For more information you can refer to our Service Level Agreement


  • All customer data is stored in the USA.
  • Customer data is stored in single-tenant datastores, and we have an individual datastore for each customer.


  • TomBot is served 100% over https.
  • We have two-factor authentication (2FA) and strong password policies on GitHub, Google, and AWS MongoDB to ensure access to cloud services are protected.


  • TomBot complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries.
  • TomBot complies with the U.S.- Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data from Switzerland.
  • TomBot complies with the GDPR Regulatory Authority.

PCI Obligations

TomBot complies with all PCI obligations, including but not limited to: redaction of Credit Card and Social Security card information.