// Trust & Security Report
Tana Labs, Inc.
Tana (agentic meeting platform) and Tana Outliner (note-taking outliner). Operated by Tana Labs, Inc., a Delaware corporation headquartered at 470 Ramona Street, Palo Alto, CA 94301. Public-facing brand 'Tana Inc.' / tana.inc.
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on tana.inc“GDPR Compliant (homepage badge, no asterisk). Privacy Policy: 'Tana is also committed to ensuring that the processing of your personal data is carried out in accordance with applicable data protection legislation' and cites GDPR legal bases (e.g. 'GDPR Art. 6(1)(f)'). GDPR is a self-attested regulatory posture, not a third-party-audited certification.”
> Show 3 unconfirmed / not-held certifications
source: tana.incSOC2 Compliant * ... * In progress. ETA Q3 2026. (homepage). Trust center Resources list shows only 'Letter Of Intent - Audit SOC2 Type 2' and 'Engagement Letter - Vanta' — no completed report.
source: trust.tana.incNo mention of ISO 27001 found on homepage, trust center, privacy policy, or terms.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Application infrastructure and user content hosted on Google Cloud Platform in the European Union. AI/LLM processing is split across regions: Gemini (GCP) in the EU; Claude (Anthropic) and OpenAI in the United States; LiveKit (WebRTC for in-product meetings) in the United States. So meeting audio/video and AI prompts can leave the EU for US-based LLM and real-time-media subprocessors.
Does not train on customer User Content by default. Privacy Policy: 'We do not use your User Content to train, improve, or develop AI or machine learning models unless we notify you in advance and provide you with an opportunity to opt out. This restriction also applies contractually to our AI subprocessors.' Terms repeat the same language and add that User Content is transferred to AI models 'for processing and augmentation as necessary to provide the Service' (inference, not training). Homepage badge: 'No training on your data'. Note the opt-out (rather than opt-in) model: if Tana later chooses to train, the default after notice is participation unless the user acts.
// Security controls
Trust center (Vanta-hosted)
Public trust center at trust.tana.inc backed by Vanta continuous monitoring; documents controls across Infrastructure security, Organizational security, Product security, Internal security procedures, and Data and privacy. Covers both Tana and Tana Outliner.
trust.tana.incEncryption
Encryption in transit ('Data transmission encrypted'); encryption key access restricted. At-rest encryption is implied via GCP but not explicitly quoted.
trust.tana.incAccess control
Unique production database authentication enforced; unique account authentication enforced; SSO offered ('SSO' badge on homepage).
trust.tana.incVulnerability management
'Vulnerability and system monitoring procedures established'; 'Anti-malware technology utilized'. No bug bounty platform (HackerOne/Bugcrowd) found. No explicit penetration-test attestation found in captured controls.
trust.tana.incOrg / operational security
Employee background checks performed; production inventory maintained; Business Continuity and Disaster Recovery plans established and tested; configuration management system established; data retention and classification policies; 'Customer data deleted upon leaving'.
trust.tana.inc// Products & data scope
data: Highest-sensitivity scope. Captures meeting audio recordings, video recordings, screen captures/recordings, transcriptions, plus connected-knowledge content (docs, tasks, CRM fields, contacts). Runs AI agents that act during native video calls and connect to external tools via MCP (GitHub, Slack, HubSpot, Linear, Jira, Google Calendar, Outlook, Claude Code, Codex, Gemini, Cursor). Meeting media flows through LiveKit (US) and prompts to Claude/OpenAI (US) or Gemini (EU).
Marketed to product/eng, consultants, VCs, creatives, founders, customer success, and sales. 'No training on your data', SSO, granular sharing controls, 'MCP & API first'. SOC2 and HIPAA still in progress, so HIPAA-regulated (PHI) use should not be assumed yet.
data: User-entered notes, nodes, Supertags, documents, files, calendars, agendas. Lower-sensitivity than the meeting platform (no native meeting audio/video capture by default).
The company's original note-taking product at outliner.tana.inc. Shares the same Tana Labs privacy policy, terms, and trust center; the subprocessor list flags which subprocessors apply to Tana, Tana Outliner, or both.
// What to watch
- No completed third-party certifications yet. SOC2 and HIPAA are explicitly 'in progress' (ETA Q3 2026); trust center shows only a Vanta engagement letter and a SOC2 Type 2 'Letter of Intent' — do not list SOC2/HIPAA as held.
- GDPR is a self-attested posture, not an audited certification — display it as 'GDPR-aligned', not 'GDPR certified'.
- AI training is opt-OUT, not opt-in: Tana reserves the right to train on User Content after advance notice unless the user opts out. Default-no-training holds today, but the contractual door is open.
- Cross-border data flow: EU-hosted storage but US-based LLM (Claude, OpenAI) and US-based real-time media (LiveKit). Meeting audio/video and prompts leave the EU. Relevant for EU/UK procurement and data-residency requirements.
- Trust center is Vanta-hosted and JavaScript-rendered; could not be independently re-fetched by automated tools.
- Entity naming inconsistency: legal entity is 'Tana Labs, Inc.' (Delaware) in privacy/terms, while the homepage footer reads '© 2026 Tana Inc.' and the trust center is 'Tana.inc'. Likely branding vs legal-entity difference, not a red flag, but worth noting.
- No public bug-bounty program (HackerOne/Bugcrowd) and no explicit penetration-test attestation found.
- Sensitive data surface is high for the meeting product (live audio/video/screen capture + agent actions across connected tools) — vet carefully before any regulated/PHI workload.
// At a glance
Pricing model
Freemium SaaS subscription. Free version plus paid monthly/yearly subscriptions; 30-day free trial, no credit card required. No public self-host/enterprise pricing surfaced.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Tana Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.tana.inc