// Trust & Security Report

    Tuple, LLC logo

    Tuple, LLC

    Tuple is a native macOS/Windows/Linux (alpha) desktop app for remote pair programming, offering high-resolution screen sharing, seamless remote control, and a privacy feature called App Veil. Single product line with Teams and Enterprise pricing tiers plus Slack, Google Calendar, and Apple Calendar integrations and a Triggers API.

    Certifications held

    1

    Maturity

    Startup

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (posture)
    HELD

    Tuple recognizes GDPR rights including access, correction, erasure, complaint filing, processing restrictions, objection, portability, and exemption from automated decision-making; users can exercise these rights by contacting support@tuple.app.

    Verify on tuple.app
    > Show 7 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    While we'd eventually love to achieve these certifications, we don't hold them at this time.

    source: tuple.app
    ISO 27001
    NOT CONFIRMED

    While we'd eventually love to achieve these certifications, we don't hold them at this time.

    source: tuple.app
    HIPAA
    NOT CONFIRMED

    no public evidence of a HIPAA compliance program or BAA offering on tuple.app/security, tuple.app/privacy, or tuple.app/terms

    source: tuple.app
    PCI DSS
    NOT CONFIRMED

    no public evidence; Tuple's security page attributes PCI Level 1 accreditation only to its AWS hosting infrastructure, not to Tuple itself: "Amazon's data center operations have been accredited under: ... PCI Level 1"

    source: tuple.app
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    no public evidence found on tuple.app of an AI management system certification

    source: tuple.app
    CSA STAR
    NOT CONFIRMED

    no public evidence on tuple.app; a third-party aggregator (nudgesecurity.com) displays a 'CSA Star Level 1 Compliant' badge for Tuple but this is not corroborated by, and directly contradicts, Tuple's own security page statement that it holds no such certifications

    source: tuple.app
    FedRAMP
    NOT CONFIRMED

    no public evidence on tuple.app; a third-party aggregator (nudgesecurity.com) lists 'FedRamp Compliant' but Tuple's own security page contradicts this

    source: tuple.app

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    US-based hosting (AWS, per security page); subprocessors list shows a mix of US and EU processing locations (e.g., AWS and BetterStack listed as US & EU / EU); users consent to transfer of data to the United States by using the service, per the privacy policy.

    Tuple's privacy policy explicitly states: "We don't train AI models on any of our customer's data, nor do we have any intention of doing so." The product itself is a screen-sharing/pairing tool (not an AI feature product); the statement appears to be a general privacy assurance rather than a tier-specific AI opt-out. No public evidence of a standalone, self-serve DPA document; the subprocessors page directs compliance questions to security@tuple.app.

    // Security controls

    Encryption in transit (call media)

    Peer-to-peer data channels use DTLS 1.2; media streams (audio/video/screen share) use SRTP with AES-256 per-frame encryption, keys generated per participant and never reused; call media is end-to-end encrypted and never sent to Tuple's servers.

    tuple.app

    Encryption in transit (client-backend)

    All communication between the Tuple client and Tuple's backend is encrypted with TLS 1.2.

    tuple.app

    Encryption at rest

    User data stored in Amazon RDS is encrypted at rest using AES-256.

    tuple.app

    Hosting infrastructure

    Backend hosted on AWS. Tuple's security page notes AWS's own data centers are accredited under ISO 27001, SOC 1, SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, and SOX -- these are the hosting provider's certifications, not Tuple's own.

    tuple.app

    Log retention

    Server/call logs retained 30 days in hot storage (via BetterStack), then archived to cold storage in Amazon S3 for two years before deletion.

    tuple.app

    Screen-share privacy control

    "App Veil" lets users hide sensitive apps and notifications from view before sharing their screen with a pairing partner.

    tuple.app

    Insurance

    Tuple states it carries roughly $13M in combined cyber liability, errors & omissions, and commercial liability insurance coverage.

    tuple.app

    Security contact

    security@tuple.app listed for security inquiries and subprocessor questions.

    tuple.app

    // Products & data scope

    Tuple (desktop app)Remote pair programming / screen sharing

    data: Live audio/video/screen-share streams (end-to-end encrypted, not stored on Tuple servers); account data (name, company, email); payment metadata via Stripe (last 4 digits, expiration); server logs and usage/crash analytics via third-party subprocessors.

    Single product available on macOS, Windows, and Linux (alpha). Teams plan ($30/user/month, includes SSO) and custom-priced Enterprise plan (adds invoice/PO billing and negotiated contracts); no functional or data-handling differences documented between tiers beyond SSO/billing.

    // What to watch

    • Tuple explicitly states on its own security page that it does NOT hold SOC 2 or ISO 27001 ('we don't hold them at this time'); a third-party aggregator (nudgesecurity.com) displays SOC 2 / ISO 27001 / HIPAA / PCI / GDPR / FedRAMP / CSA STAR 'compliant' badges for Tuple that directly contradict the vendor's own statement -- these badges appear to be templated/inaccurate and must not be used as evidence. Flagging for advisor awareness given the scale of the discrepancy.
    • AWS's own SOC 2/ISO 27001/PCI accreditations (for its data centers) are sometimes conflated with Tuple's certifications in marketing-style summaries; this is a host-vs-vendor distinction and Tuple's own certs are held=false.
    • No public, self-serve DPA document was found on tuple.app; compliance/DPA requests are routed through security@tuple.app rather than published.
    • No HIPAA-specific language (BAA, PHI handling) found anywhere on tuple.app despite third-party claims of HIPAA compliance.

    // At a glance

    Pricing model

    Per-seat subscription: Teams at $30/user/month (external collaborators pair for free), custom-priced Enterprise with negotiated contracts and invoice/PO billing; 14-day free trial; startup and open-source discounts available.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Tuple, LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    tuple.app

    > Browse all vendor trust reports