tapestry
Book a demo Sign up Login
Trust Center · last updated May 8, 2026

Trust, by design.

tapestry® runs on verified data shared between retailers, suppliers and partners. The trust that makes that possible is in the policies, controls and audit trails on this page. Read them. Question them. Ask us anything.

SOC 2
Type II · audited annually
ISO 27001
Certified · 2025
GDPR · APP
EU + AU compliant
99.99%
Uptime · trailing 90d

Privacy policy

What we collect, why we collect it, who we share it with, and how long we keep it. Plain English, then the formal version.

Read the policy →

Terms of use

The agreement that governs your use of tapestry - scope, responsibilities, IP, fees, liability, and how either of us can end the relationship.

Read the terms →

Security

How we keep your data safe in transit, at rest and in your team's hands. Encryption, key rotation, access controls, incident response.

See the controls →

Data processing addendum

The DPA that governs tapestry's role as a processor on your behalf - controllers, processors, sub-processors and what happens at the end of the contract.

Request the DPA →

Data governance

Marketplace sharing rules, aggregation thresholds, anonymity controls, and the audit trails behind every share.

See governance →

Status & uptime

Real-time system status, scheduled maintenance, and a 90-day history of incidents and resolutions.

Open status page →
01

Our commitments

tapestry®'s business depends on retailers, suppliers and partners trusting us with high-value shelf data. We've structured the company, the product, and the contracts to make that trust earned and verifiable - not assumed.

Five things we commit to, in plain English
  1. Your data is yours. You own it. We process it on your behalf.
  2. We will never share without your explicit, configured consent.
  3. Every share is logged. You can see it, audit it, and revoke it.
  4. Aggregation and anonymity are configurable, not assumed.
  5. If we get it wrong, we tell you - and we have a 72-hour notification SLA.
02

Security controls

Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Keys are managed in a customer-isolated AWS KMS hierarchy with annual rotation.

Access

Role-based access control with least-privilege defaults. SSO via SAML or OIDC. Multi-factor authentication enforced for every administrator account. Hardware key support for engineering staff.

Infrastructure

Hosted on AWS in primary and disaster-recovery regions appropriate to your jurisdiction (AU, US, EU). Multi-AZ database replication. Daily point-in-time backups with 30-day retention; 1-year cold archive.

Application

Continuous static analysis, dependency scanning, and quarterly third-party penetration testing. Vulnerability disclosure program. Bug bounty open to certified security researchers.

People

Background checks for every employee with production access. Annual security training. Production access requires explicit, ticketed, audited approval.

CertificationStatusLast audited
SOC 2 Type IIActiveMarch 2026
ISO 27001:2022CertifiedNovember 2025
PCI DSS scopeN/A · no cards-
GDPR / Australian Privacy PrinciplesCompliantOngoing
03

Data governance

The marketplace at the centre of tapestry® only works if data sharing is governed - granularly, transparently, auditably. Three controls are non-negotiable:

  1. Aggregation thresholds. Default minimum cell sizes prevent inadvertent disclosure. You can tighten further per share.
  2. Anonymity layers. Store-level data can be shared as aggregated, anonymised, or identified - configurable per supplier, per category.
  3. Audit trails. Every share, every access, every payment is logged. Exports are available on demand.
Suppliers and retailers see different views. Marketplace data is presented to brand subscribers within the rules set by the retailer. You stay in control of what your data shows on the other side.
04

Data processing

Under our standard agreement, tapestry® is a processor for the data you bring to the platform, and a controller only for the optional marketplace flows you explicitly opt into.

Standard DPA terms

  • Processing limited to the purposes you direct
  • Sub-processors disclosed and updated 30 days in advance
  • Cross-border transfers governed by SCCs (EU) or equivalent
  • Breach notification within 72 hours of confirmed incident
  • Data deletion within 30 days of contract end (with audit certificate)

Request the latest DPA at legal@tapestry.ai.

05

Status & incidents

The live status page tracks API, ingest, dashboard, marketplace and HANK services across all regions. Past 90 days are public; full 12-month history is available to customers in-app.

Past 30 days
99.99%
Uptime · all services
0 sev-1 incidents
Past 90 days
99.97%
Uptime · all services
2 sev-2 incidents · post-mortems published
SLA commitment
99.9%
Monthly uptime
Service credits on breach
06

Sub-processors

tapestry® uses a small, audited set of sub-processors. Customers are notified by email 30 days before any addition. Current list:

VendorPurposeRegion
Amazon Web ServicesPrimary cloud infrastructureAU / US / EU
SnowflakeData warehouse for analyticsAU / US / EU
DatadogObservability & APMUS
LinearEngineering issue trackingUS
NotionInternal documentationUS
07

Contact security

For vulnerabilities, incidents, or any security-sensitive question: security@tapestry.ai. PGP key available on request.

For privacy and DPA matters: privacy@tapestry.ai.

Questions we haven't answered?

Send us a note. We respond to trust-center queries within one business day.

Contact security Read the privacy policy