Trust & Compliance
Security & Data Handling
Last reviewed May 14, 2026
The cases, descriptions, and documents you submit to Tesseum are never used to train, fine-tune, or improve language models — ours or any third party's. Every AI subprocessor we use is contracted under zero-data-retention terms.
1. Encryption
At rest: AES-256 encryption on all stored data (managed by Supabase). Database backups are encrypted with the same key class and replicated to an EU-region secondary.
In transit: TLS 1.3 across every request — browser → Vercel edge → serverless function → Supabase. HSTS is enabled at the apex domain.
2. Authentication & isolation
Tesseum uses Google OAuth 2.0 for sign-in. We never see or store passwords. WebAuthn passkeys are supported at the auth layer for users who prefer passwordless access.
Inside Postgres, every user-scoped table is protected by row-level security (RLS). Your chats, bundles, favorites, and account settings can only be read by your own session token — even Tesseum staff cannot query them without breaking a sealed audit trail.
3. AI subprocessors — zero retention
Tesseum routes LLM calls through Anthropic (Claude) and Google (Gemini). Both are contracted under zero-data-retention agreements:
- Anthropic: Zero Data Retention Addendum signed; prompts and completions are not stored beyond the request lifetime and are excluded from any training pipeline.
- Google Gemini API: traffic flows through Google Cloud's enterprise tier where data is not used for model improvement.
If a model provider ever changes its retention policy, we will publish an addendum here before any traffic moves to the new terms.
4. Hosting & data residency
The application runs on Vercel in the Frankfurt (fra1) region. Database and storage are hosted by Supabase. Standard Contractual Clauses (SCCs) approved by the European Commission cover any onward transfer outside the EEA. Full subprocessor list and current data-flow diagram live in the Data Processing Agreement.
5. Corpus status
Tesseum is built on a verified legal corpus. Every article is sourced from the official gazette of its jurisdiction; nothing is paraphrased or generated. Counts below are live as of the last review date above.
| Jurisdiction | Articles | Laws | Case law |
|---|---|---|---|
| 🇲🇽 Mexico (federal + 32 states) | 128,324 | 218 | 271,813 |
| 🇨🇿 Czech Republic | 19,768 | 97 | 48,922 |
| 🇫🇷 France | 31,145 | 8 | — |
| 🇪🇸 Spain | 10,053 | 11 | 232 |
| 🇩🇪 Germany | 5,613 | 6 | — |
| 🇨🇭 Switzerland | 3,353 | 4 | — |
| 🇲🇨 Monaco | 2,585 | 3 | — |
| 🇺🇳 UN treaties | 251 | 6 | — |
| 🌎 OAS treaties | 82 | 1 | — |
| Total | 201,174 | 354 | 320,967 |
The corpus grows. Updated counts are pulled directly from production on each review.
6. Operational practice
- Least privilege: only the deployment service role can run migrations; all application traffic uses scoped anon keys with RLS.
- Secrets management: credentials live in Vercel environment variables, never committed to the repository.
- Dependency hygiene: automated alerts on critical CVEs in the dependency tree.
- Webhook integrity: Stripe payment events are signature-verified and idempotency-tracked in a dedicated table.
7. Your control over your data
Inside Settings → Your data you can, at any moment and without contacting support:
- Download all your data as a single JSON file (GDPR Article 20 — Right to Data Portability).
- Delete your account permanently. Profile, chats, bundles, favorites, preferences, and authentication credentials are erased. Financial records are anonymized to satisfy tax-law retention obligations (GDPR Article 17 — Right to Erasure).
8. Reporting a vulnerability
If you find a security issue, please email hola@tesseum.com with the subject line "Security report". We aim to acknowledge within 48 hours. Responsible disclosure is appreciated and protected.