Security principles
Talkform is designed around least privilege, server-side validation, short-lived provider credentials, restricted access, secure transport, and collecting only information needed for the interview. Security controls continue to evolve and must be verified for the specific deployment.
Current limitations
Talkform is an early product and does not claim SOC 2, ISO 27001, HIPAA eligibility, PCI compliance, or any other certification on this page. Customers should not use it for credentials, payment card data, protected health information, or other regulated information without a written review of architecture, contracts, retention, and incident obligations.
Customer responsibilities
Use least-privileged accounts, protect exports, review imported forms, avoid secrets in prompts, validate structured results, and provide appropriate participant notice and consent. Test authorization, retention, deletion, and failure recovery before production use.
Responsible disclosure
Send a concise report to support@talkform.ai with the affected URL or component, reproduction steps, impact, and a safe contact method. Do not access other users' data, disrupt the service, or publish sensitive details before there has been a reasonable opportunity to investigate. We do not currently promise a paid bug bounty or a fixed response SLA.
Privacy and vendors
Security depends on data minimization, controlled vendor access, and documented retention. Review the privacy policy and subprocessor list alongside this page.