Security Policy
Last updated: December 15, 2025
Keeping your data secure is critical to us. This page outlines how we approach security at Terac.
Please submit potential vulnerabilities via email to security@terac.com.
For any security-related questions, feel free to contact us at security@terac.com.
Summary
Terac is an AI-powered platform that enables organizations to conduct automated qualitative research interviews while providing panelists (research participants) a seamless way to participate in studies and earn compensation. Security and privacy are foundational to our platform, both for the organizations conducting sensitive research and for the panelists sharing personal insights.
Certifications and Third-Party Assessments
Terac is SOC 2 Type II certified. We are committed to maintaining the highest standards of security and compliance. Please contact security@terac.com to request a copy of our certification report.
We commit to conducting at-least-annual penetration testing by reputable third-party security firms. Please contact security@terac.com to request an executive summary of our latest assessment.
Compliance Standards
- SOC 2 Type II — Certified for security, availability, and confidentiality
- GDPR Compliant — Full compliance with EU data protection regulations (expected Q2 2026)
- CCPA Compliant — California Consumer Privacy Act compliance (expected Q2 2026)
- ISO 27001 — Information security management (expected Q2 2026)
Infrastructure Security
Our infrastructure is built on enterprise-grade cloud platforms with security as a priority. All servers are located in the United States unless otherwise specified.
Primary Infrastructure Providers
| Provider | Role | Data Handling |
|---|---|---|
| Vercel | Frontend hosting, edge network | Handles web requests, static assets, and API routing. All data encrypted in transit. |
| Supabase | Database | Stores user data, interview transcripts, and files. All data encrypted at rest and in transit. Row-level security enforced. |
| AWS | File storage (S3), CDN (CloudFront) | Stores interview recordings and media files. All data encrypted at rest using AES-256. |
AI and Voice Infrastructure
| Provider | Role | Data Handling |
|---|---|---|
| LiveKit | Real-time voice and video | Powers live AI-moderated interviews. Audio/video processed in real-time, recordings stored in AWS S3. |
| ElevenLabs | Voice synthesis | Generates AI interviewer voices. Input text processed in real-time, not stored. |
AI Model Providers
We use multiple AI providers to power our interview agents and analysis capabilities:
| Provider | Use Case | Data Retention |
|---|---|---|
| OpenAI | Interview analysis, summarization | Zero data retention agreement. Prompts not used for training. |
| Anthropic | Interview moderation, analysis | Zero data retention agreement. Prompts not used for training. |
| Google Cloud (Vertex AI) | Gemini models for analysis | Zero data retention agreement. Prompts not used for training. |
| AssemblyAI | Audio transcription | Zero data retention agreement. Audio transcribed and immediately discarded. |
| Deepgram | Real-time transcription | Zero data retention agreement. Audio processed in real-time only. |
All AI providers are bound by data processing agreements that prohibit the use of customer data for training purposes.
Supporting Services
| Provider | Role | Data Handling |
|---|---|---|
| Stripe | Payment processing | Handles all payment data. Terac does not store credit card numbers. PCI DSS Level 1 certified. |
Geographic Data Residency
All primary infrastructure is hosted in the United States. We do not currently offer data residency in other regions, though this is planned for enterprise customers.
None of our infrastructure is in China. We do not directly use any Chinese company as a subprocessor, and to our knowledge, none of our subprocessors do either.
Access Controls
We implement strict access controls following the principle of least privilege:
- Multi-factor authentication (MFA) is required for all team members accessing production systems
- Role-based access control (RBAC) limits access to data based on job function
- Audit logging tracks all access to sensitive data and systems
- Network segmentation isolates production environments from development
- Secrets rotation ensures credentials are regularly updated
- Zero-trust architecture requires authentication for all internal services
Data Handling
Data Encryption
| Data State | Encryption Method |
|---|---|
| In Transit | TLS 1.3 |
| At Rest (Database) | AES-256 via Supabase |
| At Rest (Files) | AES-256 via AWS S3 |
| At Rest (Backups) | AES-256 with separate keys |
Privacy Controls
For Organizations (Researchers)
- Team-level access controls — Define who can view interview data
- Project isolation — Data is separated by project and organization
- Audit logs — Track all access to research data
- Data export — Export your data in standard formats
- Data deletion — Delete projects and associated data
For Panelists (Participants)
- Consent management — Clear consent flows before participation
- Data access — View all data associated with your account
- Data deletion — Request complete deletion of your account and data
- Communication preferences — Control how and when we contact you
- Earnings transparency — Clear records of all payments received
AI Data Processing
AI Training
Your data is never used to train AI models. We have zero-retention agreements with all AI providers that prohibit:
- Using your data to train or improve their models
- Retaining your data beyond the request-response cycle
- Sharing your data with third parties
Account Management
Account Deletion
You can delete your account at any time from the Settings page. This will:
- Immediately — Deactivate your account and remove access
- Within 30 days — Purge all personal data from our systems
- Permanent — Remove data from all backups
Note: If you participated in research studies, the anonymized research data may be retained as required by research organizations.
Data Export
You can export your data at any time:
- Participants — Export your profile, interview history, and earnings
Incident Response
We maintain a comprehensive incident response plan:
- Detection — Automated monitoring and alerting
- Containment — Immediate isolation of affected systems
- Investigation — Root cause analysis by security team
- Remediation — Fix vulnerabilities and restore services
- Notification — Notify affected parties as required by law
- Post-mortem — Document lessons learned and improvements
Critical security incidents will be communicated via email to all affected users.
Vulnerability Disclosure
How to Report
If you believe you have found a security vulnerability in Terac, please send an email to security@terac.com with:
- A summary of the vulnerability and potential impact
- Steps to reproduce the issue, including screenshots
- Details of your environment (OS, browser, device)
- If possible, proof-of-concept code to demonstrate the vulnerability
In Scope
- https://terac.com and all subdomains
- Terac mobile applications (iOS)
- Terac API endpoints
- Terac GitHub repositories
Out of Scope
- Automated scanning without prior approval
- Social engineering attacks on Terac employees
- Brute force attacks
- DDoS attacks
- Attacks requiring physical access to a device
- Theoretical attacks without proof of exploitability
Response Timeline
- Acknowledgment — Within 5 business days
- Initial assessment — Within 10 business days
- Resolution — Based on severity (critical: 24-48 hours, high: 7 days, medium: 30 days)
Bug Bounty
We offer rewards for valid security reports:
- Critical (CVSS 9.0+) — Up to $500
- High (CVSS 7.0-8.9) — Up to $200
- Medium (CVSS 4.0-6.9) — Up to $50
Security Roadmap
We continuously invest in improving our security posture. Current initiatives include:
- ISO 27001 certification — In progress (expected Q2 2026)
- GDPR certification — In progress (expected Q2 2026)
- CCPA certification — In progress (expected Q2 2026)
- SOC 2 Type II renewal — Annual
Contact
For security-related inquiries:
- Email: security@terac.com
- Response time: Within 5 business days
For general privacy questions:
- Email: privacy@terac.com
- Data requests: hello@terac.com
Mailing Address:
Terac Inc. 149 New Montgomery St San Francisco, CA 94105 United States
Contents
