Security and compliance at Talonic

Infrastructure & Hosting

Talonic runs on Microsoft Azure Germany West Central — an EU-sovereign data centre region. All inference is routed through Mistral Large via Azure AI Foundry, ensuring that no document data leaves the EU boundary at any point in the processing pipeline.

The platform uses per-tenant isolation at the infrastructure level. Each customer's data is processed and stored in logically separated environments orchestrated by Kubernetes. There is no shared state between tenants — compute, storage, and model context are fully isolated.

Certifications & Compliance

Talonic operates under and aligns with the following standards and regulations:

• GDPR — Full compliance as an EU-based data processor. Data Processing Agreements available on request.
• HIPAA — Technical safeguards in place for healthcare data processing. BAA available for US healthcare customers.
• ISO 27001 — Information security management aligned with ISO 27001 controls.
• ISO 42001 — AI management system standard alignment for responsible AI deployment.
• DIN SPEC 91491 — Co-authored by Talonic alongside Fraunhofer IIS, Humboldt-Innovation, and GIIC. Europe's first standard for AI-ready data at the schema layer.

Data Handling

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Per-tenant data isolation ensures that no customer's data is accessible to any other tenant — at the storage layer, the compute layer, and the model context layer.

Document data is processed ephemerally during extraction and stored only in the customer's isolated environment. No document content is used for model training or shared across tenants. Retention policies are configurable per tenant.

Access Controls

Authentication is handled via SSO through OIDC, with Microsoft Entra ID as the primary identity provider. Role-based access controls govern platform permissions at the workspace, schema, and record level.

API access uses key-based authentication. Webhook delivery is secured with HMAC-SHA256 signing, allowing consumers to verify the integrity and origin of every payload.

Incident Response

Talonic maintains a documented incident response process. Initial response time for security incidents is 24 hours. A post-incident report is delivered within 72 hours of resolution, covering root cause, impact, and remediation steps.

The platform undergoes annual penetration testing by an independent third party. Results and remediation status are available to enterprise customers under NDA.

Data Processing Agreement

A GDPR-compliant Data Processing Agreement is available on request. The DPA covers sub-processor disclosures, data subject rights procedures, breach notification timelines, and cross-border transfer mechanisms.

Contact hello@talonic.com to request a copy.

Contact

For vulnerability reports and security concerns: security@talonic.com

For DPA requests and compliance inquiries: hello@talonic.com