// Trust & Security Report

    Tandem Software LLC logo

    Tandem Software LLC

    Tandem (tandem.chat) is a virtual-office / video-conferencing app for remote and hybrid teams (instant video calls, screensharing, virtual rooms, meeting widgets, 200+ integrations). Single product with tiered team-size pricing (Free, Small Teams, Medium Teams, Large Teams); no separate enterprise/API/AI product line found. Not to be confused with other companies also named 'Tandem': Tandem LLC / tandem.app (InfoSec compliance software, has its own real SOC 2 Type II), Tandem AI / usetandem.ai (AI workspace platform), Tandem Health (trust.tandemhealth.ai), or the Tandem language-learning app (tandem.net) — none of those entities' certifications apply to this vendor.

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 9 unconfirmed / not-held certifications
    SOC 2
    NOT CONFIRMED

    "Tandem fully complies with SOC2 standard for data security... We conduct periodic reviews of our security with our cloud partner 66degrees.com" — self-declared on a Notion page linked from the site footer as "GDPR/SOC2". No auditor name, audit period, Type I/II designation, Trust Services Criteria scope, or downloadable report is provided anywhere on the vendor's domain. This is a self-attestation, not an independently verified certification.

    source: tandemchat.notion.site
    ISO 27001
    NOT CONFIRMED

    No public evidence. Not mentioned on the privacy policy, terms of service, pricing page, or GDPR/SOC2 compliance page.

    source: tandem.chat
    HIPAA
    NOT CONFIRMED

    No public evidence. No HIPAA, BAA, or healthcare-data language anywhere on the vendor's site.

    source: tandem.chat
    GDPR (compliance posture)
    NOT CONFIRMED

    "Tandem is committed to and is fully compliant with this data protection regulation... users from each region in the world, eg Europe, are routed to the local cluster (eg Europe West) that is fully contained with respect to routing, data storage." This directly contradicts the vendor's own Privacy Policy, which states: "Tandem transfers, processes and stores data about you on servers operated by our hosting provider located in the United States of America." No DPA document, SCC reference, or list of sub-processors is published; enterprise inquiries are directed to an email address instead. Graded held=false because the compliance claim is self-declared and internally inconsistent, not because GDPR is a certifiable standard.

    source: tandemchat.notion.site
    PCI DSS
    NOT CONFIRMED

    "Payments made in the local cluster are stored in 3rd party PCI compliant servers and are not stored locally." This describes the PCI compliance of a third-party payment processor, not a PCI attestation held by Tandem Software LLC itself.

    source: tandemchat.notion.site
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence found on any vendor-domain page.

    source: tandem.chat
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence. Product has no described AI/LLM feature set, and no AI-governance certification is mentioned anywhere on the vendor's site.

    source: tandem.chat
    CSA STAR
    NOT CONFIRMED

    No public evidence found on any vendor-domain page.

    source: tandem.chat
    FedRAMP
    NOT CONFIRMED

    No public evidence found on any vendor-domain page.

    source: tandem.chat

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Per the Privacy Policy, customer data is stored on servers operated by the vendor's hosting provider 'located in the United States of America.' The separate GDPR/SOC2 page instead claims users are routed to regional 'local clusters' (e.g. 'Europe West') hosted on Google Cloud Platform, contradicting the single-region (US) statement in the Privacy Policy. This inconsistency is unresolved as of this review.

    Tandem.chat is a video conferencing / virtual-office product, not an AI or LLM tool. No AI-training language, model-training clause, or opt-out mechanism appears anywhere in the Privacy Policy, Terms of Service, or GDPR/SOC2 page, and no AI feature is described on the site, so this field is not applicable/unknown rather than a confirmed 'no'.

    // Security controls

    Encryption in transit / at rest

    Not specified with technical detail. Privacy Policy only states generic 'commercially acceptable means of protecting it' and explicitly disclaims that 'no method of transmission over the internet, or method of electronic storage is 100% secure.' No TLS version or at-rest encryption algorithm (e.g. AES-256) is stated.

    tandem.chat

    Hosting infrastructure

    GDPR/SOC2 page states service clusters run on Google Cloud Platform with 'continuous monitoring.' This is inconsistent with the Privacy Policy's separate statement that data is stored with a US-based hosting provider without naming GCP.

    tandemchat.notion.site

    Data retention / deletion

    Customer data (names, profile photos, email addresses, recordings/transcriptions) is stated to be automatically purged once a customer unsubscribes; users can email gdpr@tandem.chat for deletion confirmation.

    tandemchat.notion.site

    Independent security review

    Vendor states it conducts 'periodic reviews of our security with our cloud partner 66degrees.com' — a cloud consulting partner, not an independent audit firm, and no report is published.

    tandemchat.notion.site

    Account security

    Privacy Policy 'encourages' but does not require two-factor authentication; no SSO/SAML is mentioned on the pricing or product pages for any tier.

    tandem.chat

    // Products & data scope

    Tandem (Free / Small Teams / Medium Teams / Large Teams)Video conferencing & virtual-office collaboration

    data: Names, email addresses, optional profile photos, meeting/call metadata, chat messages and timestamps, log data (IP, browser, device info); audio/video call content is stated as not recorded or stored by default.

    // What to watch

    • Over-claim: vendor's footer link is literally labeled 'GDPR/SOC2' and the linked page states Tandem 'fully complies with SOC2 standard for data security,' but no auditor, report, audit period, or Type I/II designation is provided anywhere — this reads as a compliance claim without a backing audit and should not be displayed as a verified SOC 2 badge.
    • Contradiction: Privacy Policy states data is stored only on US servers, while the GDPR page claims regional EU/US data clusters for GDPR purposes. Not resolved as of last_verified.
    • Identity risk: the name 'Tandem' is shared by at least four unrelated companies with real, verifiable certifications (Tandem LLC/tandem.app has an actual audited SOC 2 Type II from Sensiba LLP; Tandem AI/usetandem.ai claims its own SOC 2 Type 2). Web searches for 'Tandem SOC2' surface those unrelated companies' evidence prominently — none of it belongs to Tandem Software LLC (tandem.chat) and none was used in this assessment.
    • No independent trust center (SafeBase/Vanta/Drata/etc.); the only compliance documentation is a single self-authored Notion page.
    • No DPA document or sub-processor list is published; prospective enterprise customers must email the vendor to request this information.

    // At a glance

    Pricing model

    Per-team flat-rate SaaS subscription, tiered by member count (Free up to 4 members; $59-449/mo paid tiers up to unlimited members), monthly or annual billing.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Tandem Software LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    tandem.chat

    > Browse all vendor trust reports