Tofu is ISO 27001:2022 certified, the globally recognized standard for information security management. This means we follow strict best practices to safeguard your data and earn your trust.

Your data is securely hosted on Amazon Web Services in Frankfurt, Germany. It’s protected with the same advanced security trusted by banks and governments, encrypted in transit with TLS 1.2+ and at rest with AES-256.

Our infrastructure spans multiple geographic locations with built-in resilience, ensuring Tofu runs smoothly and without interruptions.

Tofu is PCI-DSS SAQ-A compliant, the same security standard trusted across the payment industry. This means we never see or store your credit card details, all payments are handled by fully certified, secure providers.

Tofu fully complies with EU GDPR standards, ensuring your data is handled securely, transparently, and always under your control.

Tofu makes it easy to connect with your company’s identity management system through seamless Single Sign-On (SSO) integration. With SSO included in every plan, your team can use their existing company login to access Tofu,  making sign-ins faster, easier, and more secure.

At Tofu, we prioritise security and transparency in how our AI works with your data. Here are answers to common questions about how we protect your information.

1. Does Tofu use customer information to train third-party Large Language Models (LLMs)?

‍No, the LLMs Tofu uses do not train on customer data. For details on the LLMs we employ, please see our Sub-Processor Lists.

2. How does Tofu ensure customer information and artifacts are not used for unauthorized training?

Tofu securely segregates each customer’s data and knowledge in our database, ensuring that learning activities only use their historical data from connected accounting software, AI-generated artifacts, and user inputs. Customers must explicitly opt-in to share data for improving Tofu’s AI system.