Transparency, no jargon.
Everything you need to assess Tudo's security and privacy posture, without having to ask for a document.
Last updated: April 2026
Data residency
By default, we host on Vercel + Supabase in us-east-1 (Virginia). The Brazil region (Supabase sa-east-1) enters general availability in Q3 2026 — accounts created in Brazil will be migrated automatically at no additional cost when the region ships. Customers needing regional residency sooner can request it via contato@usetudo.com.
Compliance
LGPD (Brazil)
We process personal data in line with Law 13.709/2018. Appointed DPO, full export to CSV/JSON, anonymization and right-to-erasure on every plan.
GDPR (EU)
DPA available to every customer. Standard contractual clauses (SCCs) cover international transfers. EU representative under contract.
CCPA (California)
We do not sell anyone's data. Public "Do Not Sell My Personal Information" link in the footer for California customers.
Certifications
- In progressSOC 2 Type I in progress — audit contracted, target completion Q4 2026.
- PlannedISO 27001 planned for 2027.
We don't list badges we don't hold. When the SOC 2 report is ready, it will appear here with a link to the document.
Subprocessors
Companies that process data on our behalf. We notify customers 30 days before any change to this list.
| Provider | Purpose | Location | DPA |
|---|---|---|---|
| Vercel | Web application hosting | US | vercel.com/legal/dpa |
| Supabase | Database, auth and storage | US (BR from Q3 2026) | supabase.com/dpa |
| Stripe | Payments processing | US + EU | stripe.com/legal/dpa |
| Anthropic | AI inference (Claude) | US | anthropic.com/legal/dpa |
| Resend | Transactional email | US | resend.com/legal/dpa |
| Plausible | Web analytics (no cookies) | EU (Germany) | plausible.io/dpa |
AI & your data
Your data is never used to train Claude or any other model. We run the Anthropic API in zero-retention mode — prompts and responses are not stored on their infrastructure. Technical details live in our DPA.
Reporting a vulnerability
Found a security issue? Email security@usetudo.com. We respond within 24 hours and deliver a remediation plan within 5 business days. Bug bounty program under consideration for 2026.
security@usetudo.com · PGP key available at /trust/pgp.asc