Security Policy | Terac Legal

Keeping your data secure is critical to us. This page outlines how we approach security at Terac.

Please submit potential vulnerabilities via email to security@terac.com.

For any security-related questions, feel free to contact us at security@terac.com.

Summary

Terac is an AI-native panel infrastructure that recruits, screens, and delivers verified participants to research platforms worldwide, while providing panelists a seamless way to participate in studies and earn compensation. Security and privacy are foundational to our platform, both for the organizations conducting sensitive research and for the panelists sharing personal insights.

Certifications and Third-Party Assessments

Terac is SOC 2 Type II certified. We are committed to maintaining the highest standards of security and compliance. Please contact security@terac.com to request a copy of our certification report.

We commit to conducting at-least-annual penetration testing by reputable third-party security firms. Please contact security@terac.com to request an executive summary of our latest assessment.

Compliance Standards

SOC 2 Type II — Certified for security, availability, and confidentiality
GDPR Compliant — Full compliance with EU data protection regulations (expected Q2 2026)
CCPA Compliant — California Consumer Privacy Act compliance (expected Q2 2026)
ISO 27001 — Information security management (expected Q2 2026)

Infrastructure Security

Our infrastructure is built on enterprise-grade cloud platforms with security as a priority. All servers are located in the United States unless otherwise specified.

Primary Infrastructure Providers

Provider	Role	Data Handling
Vercel	Frontend hosting, edge network	Handles web requests, static assets, and API routing. All data encrypted in transit.
AWS	Database, file storage, CDN	PostgreSQL database stores user data and transcripts. S3 stores media files. All data encrypted at rest using AES-256.

AI and Voice Infrastructure

Provider	Role	Data Handling
LiveKit	Real-time voice and video	Powers live AI-moderated interviews. Audio/video processed in real-time, recordings stored in AWS S3.
ElevenLabs	Voice synthesis	Generates AI interviewer voices. Input text processed in real-time, not stored.

AI Model Providers

We use multiple AI providers to power our interview agents and analysis capabilities:

Provider	Use Case	Data Retention
OpenAI	Interview analysis, summarization	Zero data retention agreement. Prompts not used for training.
Anthropic	Interview moderation, analysis	Zero data retention agreement. Prompts not used for training.
Google Cloud (Vertex AI)	Gemini models for analysis	Zero data retention agreement. Prompts not used for training.
AssemblyAI	Audio transcription	Zero data retention agreement. Audio transcribed and immediately discarded.
Deepgram	Real-time transcription	Zero data retention agreement. Audio processed in real-time only.

All AI providers are bound by data processing agreements that prohibit the use of customer data for training purposes.

Supporting Services

Provider	Role	Data Handling
Stripe	Payment processing	Handles all payment data. Terac does not store credit card numbers. PCI DSS Level 1 certified.

Geographic Data Residency

All primary infrastructure is hosted in the United States. We do not currently offer data residency in other regions, though this is planned for enterprise customers.

None of our infrastructure is in China. We do not directly use any Chinese company as a subprocessor, and to our knowledge, none of our subprocessors do either.

Access Controls

We implement strict access controls following the principle of least privilege:

Multi-factor authentication (MFA) is required for all team members accessing production systems
Role-based access control (RBAC) limits access to data based on job function
Audit logging tracks all access to sensitive data and systems
Network segmentation isolates production environments from development
Secrets rotation ensures credentials are regularly updated
Zero-trust architecture requires authentication for all internal services

Data Handling

Data Encryption

Data State	Encryption Method
In Transit	TLS 1.3
At Rest (Database)	AES-256
At Rest (Files)	AES-256 via AWS S3
At Rest (Backups)	AES-256 with separate keys

Privacy Controls

For Organizations (Researchers)

Team-level access controls — Define who can view interview data
Project isolation — Data is separated by project and organization
Audit logs — Track all access to research data
Data export — Export your data in standard formats
Data deletion — Delete projects and associated data

For Panelists (Participants)

Consent management — Clear consent flows before participation
Data access — View all data associated with your account
Data deletion — Request complete deletion of your account and data
Communication preferences — Control how and when we contact you
Earnings transparency — Clear records of all payments received

AI Data Processing

AI Training

Your data is never used to train AI models. We have zero-retention agreements with all AI providers that prohibit:

Using your data to train or improve their models
Retaining your data beyond the request-response cycle
Sharing your data with third parties

Account Management

Account Deletion

You can delete your account at any time from the Settings page. This will:

Immediately — Deactivate your account and remove access
Within 30 days — Purge all personal data from our systems
Permanent — Remove data from all backups

Note: If you participated in research studies, the anonymized research data may be retained as required by research organizations.

Data Export

You can export your data at any time:

Participants — Export your profile, interview history, and earnings

Incident Response

We maintain a comprehensive incident response plan:

Detection — Automated monitoring and alerting
Containment — Immediate isolation of affected systems
Investigation — Root cause analysis by security team
Remediation — Fix vulnerabilities and restore services
Notification — Notify affected parties as required by law
Post-mortem — Document lessons learned and improvements

Critical security incidents will be communicated via email to all affected users.

Vulnerability Disclosure

How to Report

If you believe you have found a security vulnerability in Terac, please send an email to security@terac.com with:

A summary of the vulnerability and potential impact
Steps to reproduce the issue, including screenshots
Details of your environment (OS, browser, device)
If possible, proof-of-concept code to demonstrate the vulnerability

In Scope

https://terac.com and all subdomains
Terac mobile applications (iOS)
Terac API endpoints
Terac GitHub repositories

Out of Scope

Automated scanning without prior approval
Social engineering attacks on Terac employees
Brute force attacks
DDoS attacks
Attacks requiring physical access to a device
Theoretical attacks without proof of exploitability

Response Timeline

Acknowledgment — Within 5 business days
Initial assessment — Within 10 business days
Resolution — Based on severity (critical: 24-48 hours, high: 7 days, medium: 30 days)

Bug Bounty

We offer rewards for valid security reports:

Critical (CVSS 9.0+) — Up to $500
High (CVSS 7.0-8.9) — Up to $200
Medium (CVSS 4.0-6.9) — Up to $50

Security Roadmap

We continuously invest in improving our security posture. Current initiatives include:

ISO 27001 certification — In progress (expected Q2 2026)
GDPR certification — In progress (expected Q2 2026)
CCPA certification — In progress (expected Q2 2026)
SOC 2 Type II renewal — Annual

Contact

For security-related inquiries:

Email: security@terac.com
Response time: Within 5 business days

For general privacy questions:

Email: privacy@terac.com
Data requests: hello@terac.com

Mailing Address:

Terac Inc. 149 New Montgomery St San Francisco, CA 94105 United States

Keeping your data secure is critical to us. This page outlines how we approach security at Terac.

Please submit potential vulnerabilities via email to security@terac.com.

For any security-related questions, feel free to contact us at security@terac.com.

Summary

Certifications and Third-Party Assessments

Terac is SOC 2 Type II certified. We are committed to maintaining the highest standards of security and compliance. Please contact security@terac.com to request a copy of our certification report.

We commit to conducting at-least-annual penetration testing by reputable third-party security firms. Please contact security@terac.com to request an executive summary of our latest assessment.

Compliance Standards

SOC 2 Type II — Certified for security, availability, and confidentiality
GDPR Compliant — Full compliance with EU data protection regulations (expected Q2 2026)
CCPA Compliant — California Consumer Privacy Act compliance (expected Q2 2026)
ISO 27001 — Information security management (expected Q2 2026)

Infrastructure Security

Our infrastructure is built on enterprise-grade cloud platforms with security as a priority. All servers are located in the United States unless otherwise specified.

Primary Infrastructure Providers

Provider	Role	Data Handling
Vercel	Frontend hosting, edge network	Handles web requests, static assets, and API routing. All data encrypted in transit.
AWS	Database, file storage, CDN	PostgreSQL database stores user data and transcripts. S3 stores media files. All data encrypted at rest using AES-256.

AI and Voice Infrastructure

Provider	Role	Data Handling
LiveKit	Real-time voice and video	Powers live AI-moderated interviews. Audio/video processed in real-time, recordings stored in AWS S3.
ElevenLabs	Voice synthesis	Generates AI interviewer voices. Input text processed in real-time, not stored.

AI Model Providers

We use multiple AI providers to power our interview agents and analysis capabilities:

Provider	Use Case	Data Retention
OpenAI	Interview analysis, summarization	Zero data retention agreement. Prompts not used for training.
Anthropic	Interview moderation, analysis	Zero data retention agreement. Prompts not used for training.
Google Cloud (Vertex AI)	Gemini models for analysis	Zero data retention agreement. Prompts not used for training.
AssemblyAI	Audio transcription	Zero data retention agreement. Audio transcribed and immediately discarded.
Deepgram	Real-time transcription	Zero data retention agreement. Audio processed in real-time only.

All AI providers are bound by data processing agreements that prohibit the use of customer data for training purposes.

Supporting Services

Provider	Role	Data Handling
Stripe	Payment processing	Handles all payment data. Terac does not store credit card numbers. PCI DSS Level 1 certified.

Geographic Data Residency

All primary infrastructure is hosted in the United States. We do not currently offer data residency in other regions, though this is planned for enterprise customers.

None of our infrastructure is in China. We do not directly use any Chinese company as a subprocessor, and to our knowledge, none of our subprocessors do either.

Access Controls

We implement strict access controls following the principle of least privilege:

Multi-factor authentication (MFA) is required for all team members accessing production systems
Role-based access control (RBAC) limits access to data based on job function
Audit logging tracks all access to sensitive data and systems
Network segmentation isolates production environments from development
Secrets rotation ensures credentials are regularly updated
Zero-trust architecture requires authentication for all internal services

Data Handling

Data Encryption

Data State	Encryption Method
In Transit	TLS 1.3
At Rest (Database)	AES-256
At Rest (Files)	AES-256 via AWS S3
At Rest (Backups)	AES-256 with separate keys

Privacy Controls

For Organizations (Researchers)

Team-level access controls — Define who can view interview data
Project isolation — Data is separated by project and organization
Audit logs — Track all access to research data
Data export — Export your data in standard formats
Data deletion — Delete projects and associated data

For Panelists (Participants)

Consent management — Clear consent flows before participation
Data access — View all data associated with your account
Data deletion — Request complete deletion of your account and data
Communication preferences — Control how and when we contact you
Earnings transparency — Clear records of all payments received

AI Data Processing

AI Training

Your data is never used to train AI models. We have zero-retention agreements with all AI providers that prohibit:

Using your data to train or improve their models
Retaining your data beyond the request-response cycle
Sharing your data with third parties

Account Management

Account Deletion

You can delete your account at any time from the Settings page. This will:

Immediately — Deactivate your account and remove access
Within 30 days — Purge all personal data from our systems
Permanent — Remove data from all backups

Note: If you participated in research studies, the anonymized research data may be retained as required by research organizations.

Data Export

You can export your data at any time:

Participants — Export your profile, interview history, and earnings

Incident Response

We maintain a comprehensive incident response plan:

Detection — Automated monitoring and alerting
Containment — Immediate isolation of affected systems
Investigation — Root cause analysis by security team
Remediation — Fix vulnerabilities and restore services
Notification — Notify affected parties as required by law
Post-mortem — Document lessons learned and improvements

Critical security incidents will be communicated via email to all affected users.

Vulnerability Disclosure

How to Report

If you believe you have found a security vulnerability in Terac, please send an email to security@terac.com with:

A summary of the vulnerability and potential impact
Steps to reproduce the issue, including screenshots
Details of your environment (OS, browser, device)
If possible, proof-of-concept code to demonstrate the vulnerability

In Scope

https://terac.com and all subdomains
Terac mobile applications (iOS)
Terac API endpoints
Terac GitHub repositories

Out of Scope

Automated scanning without prior approval
Social engineering attacks on Terac employees
Brute force attacks
DDoS attacks
Attacks requiring physical access to a device
Theoretical attacks without proof of exploitability

Response Timeline

Acknowledgment — Within 5 business days
Initial assessment — Within 10 business days
Resolution — Based on severity (critical: 24-48 hours, high: 7 days, medium: 30 days)

Bug Bounty

We offer rewards for valid security reports:

Critical (CVSS 9.0+) — Up to $500
High (CVSS 7.0-8.9) — Up to $200
Medium (CVSS 4.0-6.9) — Up to $50

Security Roadmap

We continuously invest in improving our security posture. Current initiatives include:

ISO 27001 certification — In progress (expected Q2 2026)
GDPR certification — In progress (expected Q2 2026)
CCPA certification — In progress (expected Q2 2026)
SOC 2 Type II renewal — Annual

Contact

For security-related inquiries:

Email: security@terac.com
Response time: Within 5 business days

For general privacy questions:

Email: privacy@terac.com
Data requests: hello@terac.com

Mailing Address:

Terac Inc. 149 New Montgomery St San Francisco, CA 94105 United States

Summary

Certifications and Third-Party Assessments

Compliance Standards

Infrastructure Security

Primary Infrastructure Providers

AI and Voice Infrastructure

AI Model Providers

Supporting Services

Geographic Data Residency

Access Controls

Data Handling

Data Encryption

Privacy Controls

For Organizations (Researchers)

For Panelists (Participants)

AI Data Processing

AI Training

Account Management

Account Deletion

Data Export

Incident Response

Vulnerability Disclosure

How to Report

In Scope

Out of Scope

Response Timeline

Bug Bounty

Security Roadmap

Contact

Ready to recruit quality participants, fast?

Summary

Certifications and Third-Party Assessments

Compliance Standards

Infrastructure Security

Primary Infrastructure Providers

AI and Voice Infrastructure

AI Model Providers

Supporting Services

Geographic Data Residency

Access Controls

Data Handling

Data Encryption

Privacy Controls

For Organizations (Researchers)

For Panelists (Participants)

AI Data Processing

AI Training

Account Management

Account Deletion

Data Export

Incident Response

Vulnerability Disclosure

How to Report

In Scope

Out of Scope

Response Timeline

Bug Bounty

Security Roadmap

Contact

Ready to recruit quality participants, fast?