// Trust & Security Report

    Tempus AI, Inc. (operating clinical laboratory subsidiary Tempus Labs, Inc.) logo

    Tempus AI, Inc. (operating clinical laboratory subsidiary Tempus Labs, Inc.)

    AI-enabled precision medicine platform: CLIA-certified/CAP-accredited genomic and molecular diagnostic lab testing (oncology, cardiology, radiology, neuropsychiatry), the Tempus OS data/AI operating system, Tempus One (generative-AI clinical/research assistant), Tempus Next (care-gap/care-pathway intelligence), Tempus Lens (data/AI platform for biopharma drug development), and the TIME Trial clinical-trial-matching network. Distinct from the unrelated companies 'Tempus Technologies' (payments) and 'Tempus Resource' by ProSymmetry (project management software) - do not conflate certifications or facts across these.

    Certifications held

    3

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    HIPAA (posture, not a certification)
    HELD

    "THIS NOTICE OF PRIVACY PRACTICES ("NOTICE") DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION" ... "Tempus collects protected health information about you that is necessary to perform the laboratory testing and other services we provide" ... "Tempus is committed and required by law to maintain the privacy and security of PHI and will not disclose your PHI without your authorization, except as described in their Notice."

    Verify on tempus.com
    GDPR (posture)
    HELD

    Privacy policy enumerates EU data-subject rights: "Right to request access to your Personal Information; Right to ask for correction of errors or completion of omissions ...; Right to ask for deletion ...; Right to limit processing ...; Right to receive or have transmitted to another person a portable copy of your Personal Information."

    Verify on tempus.com
    CLIA certification / CAP laboratory accreditation
    HELD

    Chicago laboratory: "Tempus AI, Inc. Laboratory Chicago, Illinois ... CAP#: 9457540" with CLIA# 14D2114007; Tempus also operates CAP-accredited, CLIA-certified labs in Atlanta and Durham. Note: this is clinical-laboratory quality accreditation (relevant given Tempus is a diagnostic lab), not an information-security certification, and is listed here for completeness rather than as a SOC2/ISO substitute.

    Verify on tempus.com
    > Show 6 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence.

    source: tempus.com
    ISO 27001
    NOT CONFIRMED

    No public evidence on tempus.com. Note: search results surfaced an unrelated company, 'Tempus Resource' by ProSymmetry (project management software), announcing ISO 27001 in 2024 - that certification belongs to a different company with a similar name and does NOT apply to Tempus AI / tempus.com.

    source: tempus.com
    HITRUST CSF
    NOT CONFIRMED

    No public evidence found on any tempus.com page or in Tempus AI investor/SEC filings referencing HITRUST certification.

    source: tempus.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of a PCI DSS attestation on tempus.com. (Search results also surfaced credit-card AES-256 encryption language, but this could not be confirmed as specific to Tempus AI's own payment page versus a generic policy statement; graded false pending direct confirmation.)

    source: tempus.com
    FedRAMP
    NOT CONFIRMED

    No public evidence. Not applicable/claimed; Tempus AI does not market a FedRAMP-authorized offering.

    source: tempus.com
    ISO/IEC 42001 (AI management) / CSA STAR AI
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 or CSA STAR (AI) certification on tempus.com despite Tempus's AI-heavy product marketing (Tempus OS, Tempus One, Lens).

    source: tempus.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not stated

    Data region

    Not explicitly stated in available evidence; Tempus operates CLIA/CAP labs and is headquartered in the US (Chicago, IL); no explicit EU/other regional data-residency commitment was found.

    Tempus's core business model is built on aggregating de-identified clinical, molecular, and imaging data (reported at 8.5M+ de-identified longitudinal patient records) to develop and train AI/ML models for oncology and other disease areas, and to license de-identified data/insights to biopharma partners. Per the Notice of Privacy Practices, PHI used for research is de-identified according to HIPAA standards before being placed in research databases. This is a data-licensing/model-development posture tied to patient authorization and HIPAA de-identification, not a SaaS 'trains on your prompts' scenario. provider vs. biopharma-partner) differences could not be independently re-verified beyond what indexed search snippets returned - flagged for follow-up.

    // Security controls

    Encryption in transit / at rest

    Vendor states use of "technical, physical, and administrative safeguards ... incorporating secure storage and transmission technologies including encryption, firewalls, access control and audit." Could not independently re-verify with a direct page fetch (site blocked automated fetch); sourced via indexed search of the vendor's own privacy page.

    tempus.com

    Security leadership / program

    Tempus discloses named security/privacy leadership on its team page: a Chief Privacy Officer ("counsels on state and federal data privacy and security compliance, international privacy and security, and data breach response") and a Chief Information Security Officer ("responsible for leading the Information Security team, managing information security risks, and protecting data integrity and privacy").

    tempus.com

    Vulnerability disclosure program

    Vendor maintains a Responsible Disclosure page inviting security researchers to report findings; page content could not be directly re-fetched during this review (blocked by site bot protection) so full program terms (bug bounty vs. VDP, scope) are not confirmed.

    tempus.com

    Vendor/third-party information security requirements

    Tempus publishes an "Information Security Requirements" page in its Policy Center directed at vendors/partners, indicating a formal third-party risk program exists; specific control requirements could not be extracted (page blocked automated fetch).

    tempus.com

    Session/access controls (product-level)

    For at least one clinical documentation product, vendor states data is "encrypted and stored securely in a HIPAA compliant manner" and the product "will log users out after an hour of inactivity."

    tempus.com

    // Products & data scope

    Tempus genomic/molecular diagnostic testing (xT, xG, xG+, xE, liquid biopsy, etc.)Clinical laboratory / diagnostics

    data: Patient PHI, genomic sequencing data, pathology and clinical records processed under CLIA/CAP-accredited labs and HIPAA covered-entity/business-associate obligations.

    Core lab business; governed by the Notice of Privacy Practices (HIPAA) rather than a typical SaaS DPA.

    Tempus OneGenerative-AI clinical/research assistant

    data: Queries against clinical notes and structured/unstructured patient and research data for providers and, separately, life-sciences researchers.

    Marketed to both provider (oncology) and life-sciences audiences with separate landing pages; data-handling differences between the two audiences are not fully documented in available evidence - flagged for follow-up.

    Tempus NextAI-enabled care-pathway intelligence

    data: Integrates with EMRs to analyze clinical notes, molecular data, and imaging to surface care-gap alerts.

    Enterprise/health-system deployment, not a consumer product.

    Tempus Lens / data-and-AI for biopharmaData licensing and AI platform for drug development

    data: De-identified, aggregated multimodal clinical/molecular/imaging data licensed to biopharma partners for research and AI model development.

    This is the segment most directly implicated by the 'trains on data' question; data is represented as de-identified per HIPAA standards prior to use.

    TIME Trial NetworkClinical trial matching

    data: EMR-integrated screening of patient records (reported >1M patients screened daily) to match patients to oncology trials.

    Operates under provider/site agreements; separate consent flows apply for trial enrollment.

    // What to watch

    • Identity-conflation risk: multiple unrelated companies share the 'Tempus' name - 'Tempus Technologies' (payments) and 'Tempus Resource' by ProSymmetry (project-management software, which does hold ISO 27001/SOC 2) are NOT Tempus AI / tempus.com. Any listing must clearly disambiguate to avoid attributing another company's certifications to this vendor.
    • No SOC 2, ISO 27001, or HITRUST evidence found anywhere on tempus.com despite the company being a large public healthcare/AI company (NASDAQ: TEM) - notable gap for a vendor handling PHI at scale; should be re-verified directly with the vendor before enterprise procurement decisions.
    • Facts above were corroborated via indexed search-engine snippets of the same vendor-domain URLs rather than a raw page fetch; recommend a follow-up direct fetch/manual check before finalizing enterprise-grade claims.
    • AI-training posture (de-identified data used to build models and license to biopharma) is central to Tempus's business model - buyers evaluating Tempus for patient-facing or provider workflows should confirm current opt-out mechanics and any tier differences directly with Tempus, as this could not be fully re-verified from vendor pages during this review.
    • No dedicated third-party trust center (e.g., SafeBase, Vanta, Conveyor) was found; compliance documentation appears to be provided only via direct vendor engagement (Information Security Requirements / policy-center pages), consistent with a healthcare enterprise sales motion rather than a self-serve SaaS trust page.

    // At a glance

    Pricing model

    Not disclosed publicly as a self-serve price list; enterprise/health-system and biopharma contracts, plus payer/insurance billing for diagnostic testing. Public company (NASDAQ: TEM) with segment revenue split between genomics (lab testing) and data & services (biopharma/AI licensing).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Tempus AI, Inc. (operating clinical laboratory subsidiary Tempus Labs, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    tempus.com

    > Browse all vendor trust reports