// Trust & Security Report

    Tana Labs, Inc. logo

    Tana Labs, Inc.

    Tana (agentic meeting platform) and Tana Outliner (note-taking outliner). Operated by Tana Labs, Inc., a Delaware corporation headquartered at 470 Ramona Street, Palo Alto, CA 94301. Public-facing brand 'Tana Inc.' / tana.inc.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR
    HELD

    GDPR Compliant (homepage badge, no asterisk). Privacy Policy: 'Tana is also committed to ensuring that the processing of your personal data is carried out in accordance with applicable data protection legislation' and cites GDPR legal bases (e.g. 'GDPR Art. 6(1)(f)'). GDPR is a self-attested regulatory posture, not a third-party-audited certification.

    Verify on tana.inc
    > Show 3 unconfirmed / not-held certifications
    SOC 2 Type 2
    NOT CONFIRMED

    SOC2 Compliant * ... * In progress. ETA Q3 2026. (homepage). Trust center Resources list shows only 'Letter Of Intent - Audit SOC2 Type 2' and 'Engagement Letter - Vanta' — no completed report.

    source: tana.inc
    HIPAA
    NOT CONFIRMED

    HIPAA Compliant * ... * In progress. ETA Q3 2026.

    source: tana.inc
    ISO 27001
    NOT CONFIRMED

    No mention of ISO 27001 found on homepage, trust center, privacy policy, or terms.

    source: trust.tana.inc

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Application infrastructure and user content hosted on Google Cloud Platform in the European Union. AI/LLM processing is split across regions: Gemini (GCP) in the EU; Claude (Anthropic) and OpenAI in the United States; LiveKit (WebRTC for in-product meetings) in the United States. So meeting audio/video and AI prompts can leave the EU for US-based LLM and real-time-media subprocessors.

    Does not train on customer User Content by default. Privacy Policy: 'We do not use your User Content to train, improve, or develop AI or machine learning models unless we notify you in advance and provide you with an opportunity to opt out. This restriction also applies contractually to our AI subprocessors.' Terms repeat the same language and add that User Content is transferred to AI models 'for processing and augmentation as necessary to provide the Service' (inference, not training). Homepage badge: 'No training on your data'. Note the opt-out (rather than opt-in) model: if Tana later chooses to train, the default after notice is participation unless the user acts.

    // Security controls

    Trust center (Vanta-hosted)

    Public trust center at trust.tana.inc backed by Vanta continuous monitoring; documents controls across Infrastructure security, Organizational security, Product security, Internal security procedures, and Data and privacy. Covers both Tana and Tana Outliner.

    trust.tana.inc

    Encryption

    Encryption in transit ('Data transmission encrypted'); encryption key access restricted. At-rest encryption is implied via GCP but not explicitly quoted.

    trust.tana.inc

    Access control

    Unique production database authentication enforced; unique account authentication enforced; SSO offered ('SSO' badge on homepage).

    trust.tana.inc

    Vulnerability management

    'Vulnerability and system monitoring procedures established'; 'Anti-malware technology utilized'. No bug bounty platform (HackerOne/Bugcrowd) found. No explicit penetration-test attestation found in captured controls.

    trust.tana.inc

    Org / operational security

    Employee background checks performed; production inventory maintained; Business Continuity and Disaster Recovery plans established and tested; configuration management system established; data retention and classification policies; 'Customer data deleted upon leaving'.

    trust.tana.inc

    Bug bounty

    none (no HackerOne or Bugcrowd program found)

    trust.tana.inc

    Penetration testing

    unknown (not explicitly attested in available evidence)

    trust.tana.inc

    Microsoft app verification

    'Verified Microsoft app' badge claimed on homepage.

    tana.inc

    // Products & data scope

    Tana (agentic meeting platform)AI meeting / agentic productivity

    data: Highest-sensitivity scope. Captures meeting audio recordings, video recordings, screen captures/recordings, transcriptions, plus connected-knowledge content (docs, tasks, CRM fields, contacts). Runs AI agents that act during native video calls and connect to external tools via MCP (GitHub, Slack, HubSpot, Linear, Jira, Google Calendar, Outlook, Claude Code, Codex, Gemini, Cursor). Meeting media flows through LiveKit (US) and prompts to Claude/OpenAI (US) or Gemini (EU).

    Marketed to product/eng, consultants, VCs, creatives, founders, customer success, and sales. 'No training on your data', SSO, granular sharing controls, 'MCP & API first'. SOC2 and HIPAA still in progress, so HIPAA-regulated (PHI) use should not be assumed yet.

    Tana OutlinerNote-taking / knowledge outliner

    data: User-entered notes, nodes, Supertags, documents, files, calendars, agendas. Lower-sensitivity than the meeting platform (no native meeting audio/video capture by default).

    The company's original note-taking product at outliner.tana.inc. Shares the same Tana Labs privacy policy, terms, and trust center; the subprocessor list flags which subprocessors apply to Tana, Tana Outliner, or both.

    // What to watch

    • No completed third-party certifications yet. SOC2 and HIPAA are explicitly 'in progress' (ETA Q3 2026); trust center shows only a Vanta engagement letter and a SOC2 Type 2 'Letter of Intent' — do not list SOC2/HIPAA as held.
    • GDPR is a self-attested posture, not an audited certification — display it as 'GDPR-aligned', not 'GDPR certified'.
    • AI training is opt-OUT, not opt-in: Tana reserves the right to train on User Content after advance notice unless the user opts out. Default-no-training holds today, but the contractual door is open.
    • Cross-border data flow: EU-hosted storage but US-based LLM (Claude, OpenAI) and US-based real-time media (LiveKit). Meeting audio/video and prompts leave the EU. Relevant for EU/UK procurement and data-residency requirements.
    • Trust center is Vanta-hosted and JavaScript-rendered; could not be independently re-fetched by automated tools.
    • Entity naming inconsistency: legal entity is 'Tana Labs, Inc.' (Delaware) in privacy/terms, while the homepage footer reads '© 2026 Tana Inc.' and the trust center is 'Tana.inc'. Likely branding vs legal-entity difference, not a red flag, but worth noting.
    • No public bug-bounty program (HackerOne/Bugcrowd) and no explicit penetration-test attestation found.
    • Sensitive data surface is high for the meeting product (live audio/video/screen capture + agent actions across connected tools) — vet carefully before any regulated/PHI workload.

    // At a glance

    Pricing model

    Freemium SaaS subscription. Free version plus paid monthly/yearly subscriptions; 30-day free trial, no credit card required. No public self-host/enterprise pricing surfaced.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Tana Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.tana.inc

    > Browse all vendor trust reports