Data security is critical to everything we do at TomBot AI


We'd like to welcome you to our Security Page, and let you know that we take Security and Data Protection very serious at TomBot AI.

We are in the business of automating intelligence and Data, and the prerequisite for being a great company that can use Data to do great things, is protecting your Data.

As you continue to learn more about TomBot AI we recommend you also review our Terms of Use and Privacy Policy.

Best Practices

Incident Response Plan
  • We have implemented a formal procedure for security events and have educated all our staff on our policies.
  • When security events are detected they are escalated to our emergency alias, teams are paged, notified and assembled to rapidly address the event.
  • After a security event is fixed we write up a post-mortem analysis.
  • The analysis is reviewed in person, distributed across the company and includes action items that will make the detection and prevention of a similar event easier in the future.
Build Process Automation
  • We have functioning, frequently used automation in place so that we can safely and reliably rollout changes to both our application and operating platform within minutes.
  • We typically deploy code dozens of times a day, so we have high confidence that we can get a security fix out quickly when required.


  • All of our services run in the cloud. TomBot AI does not run our own routers, load balancers, DNS servers, or physical servers.
  • All of our services and data are hosted in Amazon Web Services (AWS) facilities in the USA, and we are in the process of consolidating all services and data there. TomBot AI services have been built with disaster recovery in mind.
  • All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network.
  • TomBot AI uses MongoDB’s MMS backup solution for datastores that contain customer data.
  • All of TomBot AI's application and database storage is safely contained within Amazon Web Services’ (AWS) infrastructure, which is accredited by ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), and PCI Level 1. More information about AWS security can be found here.
  • At TomBot, we carry out regular due-dilligence checks on all subcontractors and third-party providers.

Service Levels

We have uptime of 99.9% or higher. For more information you can refer to our Service Level Agreement


  • All customer data is stored in the EU.
  • Customer data is stored in a multi-tenant database and can only be accessed using login credentials, authorization, and access controls.
  • Customer data is backed up every hour on our cloud-based storage system in case of a data loss event.
  • All employees are trained with data loss prevention procedures and guidlines to prevent data loss events, and keep customer data safe at all times.
  • All employees and subcontractors are bound to a non-disclosure agreement and will be suspended from the company if there is a breach in protocol.

Authentication & Authorization

  • TomBot is served 100% over https.
  • To access TomBot you must have login credentials (username and password).
  • TomBot implements strict access controls with different sets of priviledges such as Admin, Read-Only, ect to ensure a higher-level of data security.
  • TomBot havs two-factor authentication (2FA) and strong password policies on GitHub, Google, and AWS MongoDB to ensure access to cloud services are protected.


  • All TomBot traffic is safely encrypted using SSL/TLS v1.2 protocol on a highly-secure NGINX reverse-proxy server.


  • TomBot complies with the GDPR Regulatory Authority.
  • All employees are obligtated to run a reference and background checks as part of our Employee Screening Policy.

PCI Obligations

TomBot complies with all PCI obligations, including but not limited to: redaction of Credit Card and Social Security card information.


  • At TomBot we have an appointed Data Protection Officer, which you can e-mail him directly with inquieries related to Data Security at
  • To make a Data Subject Rights Request, submit an e-mail to
  • In case of a data breach or compromise of any personal data we will report the breach to all relevant supervisroy authorities within 24 hours of the breach. We will also notify all effected customers, and act immediately to repair the breach.
  • You may use any data sub-processors at your own discretion with the use of TomBot. If we make any platform changes which engage with a new sub-processor we will notify with a update to our Terms.