// Trust & Security Report
Tuple, LLC
Tuple is a native macOS/Windows/Linux (alpha) desktop app for remote pair programming, offering high-resolution screen sharing, seamless remote control, and a privacy feature called App Veil. Single product line with Teams and Enterprise pricing tiers plus Slack, Google Calendar, and Apple Calendar integrations and a Triggers API.
Certifications held
1
Maturity
Startup
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on tuple.app“Tuple recognizes GDPR rights including access, correction, erasure, complaint filing, processing restrictions, objection, portability, and exemption from automated decision-making; users can exercise these rights by contacting support@tuple.app.”
> Show 7 unconfirmed / not-held certifications
source: tuple.appWhile we'd eventually love to achieve these certifications, we don't hold them at this time.
source: tuple.appWhile we'd eventually love to achieve these certifications, we don't hold them at this time.
source: tuple.appno public evidence of a HIPAA compliance program or BAA offering on tuple.app/security, tuple.app/privacy, or tuple.app/terms
source: tuple.appno public evidence; Tuple's security page attributes PCI Level 1 accreditation only to its AWS hosting infrastructure, not to Tuple itself: "Amazon's data center operations have been accredited under: ... PCI Level 1"
source: tuple.appno public evidence found on tuple.app of an AI management system certification
source: tuple.appno public evidence on tuple.app; a third-party aggregator (nudgesecurity.com) displays a 'CSA Star Level 1 Compliant' badge for Tuple but this is not corroborated by, and directly contradicts, Tuple's own security page statement that it holds no such certifications
source: tuple.appno public evidence on tuple.app; a third-party aggregator (nudgesecurity.com) lists 'FedRamp Compliant' but Tuple's own security page contradicts this
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
US-based hosting (AWS, per security page); subprocessors list shows a mix of US and EU processing locations (e.g., AWS and BetterStack listed as US & EU / EU); users consent to transfer of data to the United States by using the service, per the privacy policy.
Tuple's privacy policy explicitly states: "We don't train AI models on any of our customer's data, nor do we have any intention of doing so." The product itself is a screen-sharing/pairing tool (not an AI feature product); the statement appears to be a general privacy assurance rather than a tier-specific AI opt-out. No public evidence of a standalone, self-serve DPA document; the subprocessors page directs compliance questions to security@tuple.app.
// Security controls
Encryption in transit (call media)
Peer-to-peer data channels use DTLS 1.2; media streams (audio/video/screen share) use SRTP with AES-256 per-frame encryption, keys generated per participant and never reused; call media is end-to-end encrypted and never sent to Tuple's servers.
tuple.appEncryption in transit (client-backend)
All communication between the Tuple client and Tuple's backend is encrypted with TLS 1.2.
tuple.appHosting infrastructure
Backend hosted on AWS. Tuple's security page notes AWS's own data centers are accredited under ISO 27001, SOC 1, SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, and SOX -- these are the hosting provider's certifications, not Tuple's own.
tuple.appLog retention
Server/call logs retained 30 days in hot storage (via BetterStack), then archived to cold storage in Amazon S3 for two years before deletion.
tuple.appScreen-share privacy control
"App Veil" lets users hide sensitive apps and notifications from view before sharing their screen with a pairing partner.
tuple.appInsurance
Tuple states it carries roughly $13M in combined cyber liability, errors & omissions, and commercial liability insurance coverage.
tuple.appSecurity contact
security@tuple.app listed for security inquiries and subprocessor questions.
tuple.app// Products & data scope
data: Live audio/video/screen-share streams (end-to-end encrypted, not stored on Tuple servers); account data (name, company, email); payment metadata via Stripe (last 4 digits, expiration); server logs and usage/crash analytics via third-party subprocessors.
Single product available on macOS, Windows, and Linux (alpha). Teams plan ($30/user/month, includes SSO) and custom-priced Enterprise plan (adds invoice/PO billing and negotiated contracts); no functional or data-handling differences documented between tiers beyond SSO/billing.
// What to watch
- Tuple explicitly states on its own security page that it does NOT hold SOC 2 or ISO 27001 ('we don't hold them at this time'); a third-party aggregator (nudgesecurity.com) displays SOC 2 / ISO 27001 / HIPAA / PCI / GDPR / FedRAMP / CSA STAR 'compliant' badges for Tuple that directly contradict the vendor's own statement -- these badges appear to be templated/inaccurate and must not be used as evidence. Flagging for advisor awareness given the scale of the discrepancy.
- AWS's own SOC 2/ISO 27001/PCI accreditations (for its data centers) are sometimes conflated with Tuple's certifications in marketing-style summaries; this is a host-vs-vendor distinction and Tuple's own certs are held=false.
- No public, self-serve DPA document was found on tuple.app; compliance/DPA requests are routed through security@tuple.app rather than published.
- No HIPAA-specific language (BAA, PHI handling) found anywhere on tuple.app despite third-party claims of HIPAA compliance.
// At a glance
Pricing model
Per-seat subscription: Teams at $30/user/month (external collaborators pair for free), custom-priced Enterprise with negotiated contracts and invoice/PO billing; 14-day free trial; startup and open-source discounts available.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Tuple, LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
tuple.app