Security
Recording your work shouldn't mean losing control of it.
Last updated: April 15, 2026
Tome Robot captures screens, DOMs, and audio from the tools your team uses. That means we have to be serious about how that data is stored, who can see it, and how it's cleaned before anyone else does.
Privacy by default
- ◆Password fields are never captured — not the keystrokes, not the screenshots.
- ◆Deterministic redaction (emails, phone numbers, credit cards, SSNs) runs on every ingest.
- ◆A vision model blurs regions that look sensitive even when they don't match a dictionary.
- ◆Custom redaction rules let you pin policies to specific pages, elements, or patterns.
Infrastructure
- ◆Runs entirely on Cloudflare: Workers, D1 (SQLite), R2 (object store), Vectorize, Workers AI.
- ◆All storage is encrypted at rest. All traffic is TLS 1.2+.
- ◆Tenant data is isolated at the query layer — every statement is tenant-scoped.
- ◆No shared long-lived credentials between tenants; bindings are per-worker.
Access control
- ◆Roles: owner, editor, reviewer, auditor, viewer. Enforced on every API call.
- ◆Session cookies are HTTP-only, SameSite=Lax, signed, and short-lived.
- ◆Password auth uses PBKDF2 with per-user salts; Google OAuth is supported out of the box.
- ◆SAML/OIDC SSO is coming to Enterprise; email/password and Google sign-in are live today.
Auditability
- ◆Every publish, role grant, and redaction change is written to an immutable audit log.
- ◆Auditor role grants read-only access to the log without editing rights.
- ◆Webhooks fire on sensitive events so you can pipe them to your own SIEM.
Compliance
- ◆SOC 2 Type I in progress (target: Q3).
- ◆DPA available on request for Business and above.
- ◆GDPR: users can export and delete all tenant data via the REST API or a support request.
- ◆Data residency options (US, EU) on Enterprise.
Responsible disclosure
Found something? We want to hear about it before you tweet about it. Email security@tomerobot.com and we'll respond within one business day. We don't take legal action against good-faith research.
See our privacy policy →