// Trust & Security Report
Tempus AI, Inc. (operating clinical laboratory subsidiary Tempus Labs, Inc.)
AI-enabled precision medicine platform: CLIA-certified/CAP-accredited genomic and molecular diagnostic lab testing (oncology, cardiology, radiology, neuropsychiatry), the Tempus OS data/AI operating system, Tempus One (generative-AI clinical/research assistant), Tempus Next (care-gap/care-pathway intelligence), Tempus Lens (data/AI platform for biopharma drug development), and the TIME Trial clinical-trial-matching network. Distinct from the unrelated companies 'Tempus Technologies' (payments) and 'Tempus Resource' by ProSymmetry (project management software) - do not conflate certifications or facts across these.
Certifications held
3
Maturity
Enterprise
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on tempus.com“"THIS NOTICE OF PRIVACY PRACTICES ("NOTICE") DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION" ... "Tempus collects protected health information about you that is necessary to perform the laboratory testing and other services we provide" ... "Tempus is committed and required by law to maintain the privacy and security of PHI and will not disclose your PHI without your authorization, except as described in their Notice."”
Verify on tempus.com“Privacy policy enumerates EU data-subject rights: "Right to request access to your Personal Information; Right to ask for correction of errors or completion of omissions ...; Right to ask for deletion ...; Right to limit processing ...; Right to receive or have transmitted to another person a portable copy of your Personal Information."”
Verify on tempus.com“Chicago laboratory: "Tempus AI, Inc. Laboratory Chicago, Illinois ... CAP#: 9457540" with CLIA# 14D2114007; Tempus also operates CAP-accredited, CLIA-certified labs in Atlanta and Durham. Note: this is clinical-laboratory quality accreditation (relevant given Tempus is a diagnostic lab), not an information-security certification, and is listed here for completeness rather than as a SOC2/ISO substitute.”
> Show 6 unconfirmed / not-held certifications
source: tempus.comNo public evidence on tempus.com. Note: search results surfaced an unrelated company, 'Tempus Resource' by ProSymmetry (project management software), announcing ISO 27001 in 2024 - that certification belongs to a different company with a similar name and does NOT apply to Tempus AI / tempus.com.
source: tempus.comNo public evidence found on any tempus.com page or in Tempus AI investor/SEC filings referencing HITRUST certification.
source: tempus.comNo public evidence of a PCI DSS attestation on tempus.com. (Search results also surfaced credit-card AES-256 encryption language, but this could not be confirmed as specific to Tempus AI's own payment page versus a generic policy statement; graded false pending direct confirmation.)
source: tempus.comNo public evidence. Not applicable/claimed; Tempus AI does not market a FedRAMP-authorized offering.
source: tempus.comNo public evidence of ISO/IEC 42001 or CSA STAR (AI) certification on tempus.com despite Tempus's AI-heavy product marketing (Tempus OS, Tempus One, Lens).
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not stated
Data region
Not explicitly stated in available evidence; Tempus operates CLIA/CAP labs and is headquartered in the US (Chicago, IL); no explicit EU/other regional data-residency commitment was found.
Tempus's core business model is built on aggregating de-identified clinical, molecular, and imaging data (reported at 8.5M+ de-identified longitudinal patient records) to develop and train AI/ML models for oncology and other disease areas, and to license de-identified data/insights to biopharma partners. Per the Notice of Privacy Practices, PHI used for research is de-identified according to HIPAA standards before being placed in research databases. This is a data-licensing/model-development posture tied to patient authorization and HIPAA de-identification, not a SaaS 'trains on your prompts' scenario. provider vs. biopharma-partner) differences could not be independently re-verified beyond what indexed search snippets returned - flagged for follow-up.
// Security controls
Encryption in transit / at rest
Vendor states use of "technical, physical, and administrative safeguards ... incorporating secure storage and transmission technologies including encryption, firewalls, access control and audit." Could not independently re-verify with a direct page fetch (site blocked automated fetch); sourced via indexed search of the vendor's own privacy page.
tempus.comSecurity leadership / program
Tempus discloses named security/privacy leadership on its team page: a Chief Privacy Officer ("counsels on state and federal data privacy and security compliance, international privacy and security, and data breach response") and a Chief Information Security Officer ("responsible for leading the Information Security team, managing information security risks, and protecting data integrity and privacy").
tempus.comVulnerability disclosure program
Vendor maintains a Responsible Disclosure page inviting security researchers to report findings; page content could not be directly re-fetched during this review (blocked by site bot protection) so full program terms (bug bounty vs. VDP, scope) are not confirmed.
tempus.comVendor/third-party information security requirements
Tempus publishes an "Information Security Requirements" page in its Policy Center directed at vendors/partners, indicating a formal third-party risk program exists; specific control requirements could not be extracted (page blocked automated fetch).
tempus.comSession/access controls (product-level)
For at least one clinical documentation product, vendor states data is "encrypted and stored securely in a HIPAA compliant manner" and the product "will log users out after an hour of inactivity."
tempus.com// Products & data scope
data: Patient PHI, genomic sequencing data, pathology and clinical records processed under CLIA/CAP-accredited labs and HIPAA covered-entity/business-associate obligations.
Core lab business; governed by the Notice of Privacy Practices (HIPAA) rather than a typical SaaS DPA.
data: Queries against clinical notes and structured/unstructured patient and research data for providers and, separately, life-sciences researchers.
Marketed to both provider (oncology) and life-sciences audiences with separate landing pages; data-handling differences between the two audiences are not fully documented in available evidence - flagged for follow-up.
data: Integrates with EMRs to analyze clinical notes, molecular data, and imaging to surface care-gap alerts.
Enterprise/health-system deployment, not a consumer product.
data: De-identified, aggregated multimodal clinical/molecular/imaging data licensed to biopharma partners for research and AI model development.
This is the segment most directly implicated by the 'trains on data' question; data is represented as de-identified per HIPAA standards prior to use.
data: EMR-integrated screening of patient records (reported >1M patients screened daily) to match patients to oncology trials.
Operates under provider/site agreements; separate consent flows apply for trial enrollment.
// What to watch
- Identity-conflation risk: multiple unrelated companies share the 'Tempus' name - 'Tempus Technologies' (payments) and 'Tempus Resource' by ProSymmetry (project-management software, which does hold ISO 27001/SOC 2) are NOT Tempus AI / tempus.com. Any listing must clearly disambiguate to avoid attributing another company's certifications to this vendor.
- No SOC 2, ISO 27001, or HITRUST evidence found anywhere on tempus.com despite the company being a large public healthcare/AI company (NASDAQ: TEM) - notable gap for a vendor handling PHI at scale; should be re-verified directly with the vendor before enterprise procurement decisions.
- Facts above were corroborated via indexed search-engine snippets of the same vendor-domain URLs rather than a raw page fetch; recommend a follow-up direct fetch/manual check before finalizing enterprise-grade claims.
- AI-training posture (de-identified data used to build models and license to biopharma) is central to Tempus's business model - buyers evaluating Tempus for patient-facing or provider workflows should confirm current opt-out mechanics and any tier differences directly with Tempus, as this could not be fully re-verified from vendor pages during this review.
- No dedicated third-party trust center (e.g., SafeBase, Vanta, Conveyor) was found; compliance documentation appears to be provided only via direct vendor engagement (Information Security Requirements / policy-center pages), consistent with a healthcare enterprise sales motion rather than a self-serve SaaS trust page.
// At a glance
Pricing model
Not disclosed publicly as a self-serve price list; enterprise/health-system and biopharma contracts, plus payer/insurance billing for diagnostic testing. Public company (NASDAQ: TEM) with segment revenue split between genomics (lab testing) and data & services (biopharma/AI licensing).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Tempus AI, Inc. (operating clinical laboratory subsidiary Tempus Labs, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
tempus.com