Third-party Subprocessors
Taloflow uses a minimal number of third-party subprocessors. All are assessed for privacy compliance, and Data Processing Agreements (DPAs) are in place with each before any personal data is shared.
Subprocessor List
Auth0
Okta, Inc.
Email, name, password hash
Identity management, authentication
SOC 2 Type II, ISO 27001
Yes
USA
Linode
Akamai Technologies
All data (infrastructure host)
Cloud infrastructure and hosting
SOC 2 Type II, ISO 27001
Yes
USA
Stripe
Stripe, Inc.
Subscription references only (no card data)
Payment processing
PCI DSS Level 1
Yes
USA
What Taloflow Does Not Share
Payment card numbers are not shared with Taloflow or any processor other than Stripe. Card data is collected client-side via Stripe.js and never transits Taloflow infrastructure.
Evaluation content — product assessments, requirements, and scoring — is not shared with any third party.
Auth0 receives only the identity fields strictly necessary for authentication. It does not receive evaluation data, organizational content, or usage analytics.
The use of Stripe.js means Taloflow operates outside PCI DSS scope for card data. No card numbers, CVCs, or expiry dates are ever present on Taloflow servers.
Subprocessor Detail
Auth0 (Okta, Inc.)
Taloflow delegates credential storage entirely to Auth0. Passwords never reach Taloflow servers in any form. In addition to credential storage, Auth0 provides:
Multi-factor authentication (MFA)
TOTP and push-based second factors
Brute force protection
Automatic lockout after repeated failed logins
Password breach detection
Integration with haveibeenpwned to flag compromised credentials
Anomaly detection
Impossible travel and suspicious login detection
Auth0 is SOC 2 Type II and ISO 27001 certified.
Linode (Akamai Technologies)
All Taloflow infrastructure runs on Linode, now part of Akamai Connected Cloud. Physical data center security controls include:
Perimeter security
Fencing and controlled entry points
Access control
Multi-factor authentication and biometric verification
Monitoring
24/7 on-site monitoring
Visitor management
Logged visitor access with escort requirements
Akamai is SOC 2 Type II and ISO 27001 certified.
Taloflow retains full key sovereignty over data stored on Linode. Encryption keys are managed by Taloflow and are not accessible to Akamai.
Stripe (Stripe, Inc.)
Payment card data is collected directly by Stripe.js in the user's browser and never touches Taloflow servers. Taloflow receives only:
A Stripe subscription ID
Plan status (via webhook)
No card number, CVV, or expiry date is ever transmitted to or stored on Taloflow infrastructure. Stripe is PCI DSS Level 1 certified.
Updates
This page is updated when subprocessors are added or removed. Organizations requiring advance notice of subprocessor changes should review the DPA terms or contact [email protected].
Last reviewed: April 2026
Was this helpful?