TomSocial
ProductHow it worksSecurityPricingAboutTomPilot
Sign inStart a trial
Security & compliance

Consent isn't a checkbox. It's the build.

TomSocial handles other people's reviews, photos and names, so data protection is a build requirement, not a later addition. It inherits the same governed foundation as TomPilot: GDPR, ISO 27001 and ISO 42001.

Jump to consentRequest the security pack
REGULATION
GDPR

Self-service export & deletion across all tenant data.

STANDARD
ISO 27001

Per-tenant isolation, deny-by-default access, audit.

STANDARD
ISO 42001

Human gate, cost & prompt governance on the Ai.

RESIDENCY
UK · London

Data in eu-west-2, encrypted, audit-logged.

Architecture designed to these standards and shared with the wider estate. Certification in progress; documentation available under NDA.

Module boundary

Shared login, separated data

TomSocial uses the same secure sign-in as TomPilot, so one account works across the estate. But its data lives in its own tables with deny-by-default access, and reads across modules go through read-only helpers. The strategy toggle pulls from TomPilot read-only; it can never write back.

ONE ESTATE, SEPARATED MODULES
TomSocial
tom_social_* tables
deny-by-default RLS
TomPilot
strategy tables
read-only helper
Shared auth · Supabase
London · eu-west-2 · 2FA inherited
Mandatory approval gate

No content reaches a channel without a person approving it. There is no automated path around the gate, on any plan.

Append-only audit log

Approvals, publishes, consent records and configuration changes, all logged and tamper-evident.

2FA inherited

The same authentication and two-factor setup as the rest of the estate, from day one.

GDPR self-service

Export and deletion covering all TomSocial tenant data, run by the customer.

Ai cost & prompt audit

Every generation is costed and recorded, the ISO 42001 spine the estate is built on.

Secrets in Vault

No secrets in the repository; provisioning secrets stay confined to the webhook path.

Doing a due-diligence review?

We'll send the security pack, the consent and data-protection notes and a DPA. Straight answers from the people who built it.

Request the security pack →See pricing