Trust Center

SOC 2 Type II Certified

GDPR Compliant

Overview

Toffu is an AI marketing platform used by in-house marketing teams and agencies to plan, run, and optimize their marketing with generative AI.

Marketers work with Toffu through a chat interface in any browser. Toffu connects to your ad accounts, analytics, and content channels, then executes marketing work on your behalf: launching and optimizing campaigns, pulling and merging performance data across platforms, and creating content.

Agencies and in-house teams in e-commerce, SaaS, and fintech rely on Toffu to manage campaigns, reporting, and content across their accounts and clients.

No AI Training On Your Data

Your data is your data. We have a firm commitment that your marketing content, customer data, and proprietary materials are never used to train our AI models.

Toffu is built for businesses that require complete data privacy and security. We maintain strict data isolation with no cross-client data sharing or model learning from your valuable intellectual property.

This policy applies to all marketing assets, communications, customer data, and any other information processed through our platform. Your competition will never benefit from your marketing insights through our AI systems.

Commitment to GDPR and Data Privacy

Toffu is fully compliant with the General Data Protection Regulation (GDPR). We are committed to protecting the privacy and data rights of our users, and our platform is designed with data protection as a core principle.

We provide full transparency about how we handle data in the following documents:

Privacy Policy – Explains what data we collect and why.
Cookie Policy – Details our use of cookies and tracking technologies.
Subprocessors Page – Lists the third-party services we use to provide our service.

Our commitment ensures that your data is handled securely and in accordance with the highest standards of data protection.

Security

Indexing Controls

Control what marketing data is indexed with granular filtering options at the source level. Toffu only processes the data you explicitly allow.

Automatic PII Redaction

Our AI models automatically redact Personally Identifiable Information (PII) from marketing data sources, ensuring customer privacy in all your marketing activities.

Logical Separation

Your marketing assets and data are logically separated within a dedicated tenant. No customer's marketing materials or data are ever accessible to other clients.

Secure Cloud Environment

All marketing content processing occurs in Toffu's secure cloud environment. Your valuable marketing assets and customer data remain protected and are never shared with third parties.

Secure Encryption At Every Step

All marketing data and assets are encrypted using industry-leading standards - in transit at TLS 1.2/1.3 and at rest in AES 256-bit encryption.

Policies

We are SOC 2 Type II certified. This certification demonstrates our commitment to security, availability, processing integrity, confidentiality, and privacy of customer data. Our audit reports and detailed policy documents are available upon request to qualified prospects and customers under NDA at security@toffu.ai.

Information Security Policy

Risk Management Policy

Access Control Policy

Change Management Policy

Data Classification Policy

Incident Response Plan

Business Continuity Plan

Vendor Management Policy

Best-in-class monitoring

Software Security

Code Review Processes

Employee Disclosure Processes

Firewalls

Quarterly Vulnerability Scans

Data Security

Daily Database Backups

Encryption at REST

Security Policy

SSL/TLS Enforced

MFA on Accounts

Session Lock

Network Security

Denial of Public SSH

Firewalls

Logging/Monitoring

Malware Detection Software

Enterprise-Grade Cloud Data Storage

Multiple Availability Zones

Organization Security

Acceptable Use Policy

Code of Conduct

Disaster Recovery Plan

Incident Response Plan

Password Policy

Subprocessors

Toffu works with industry-leading partners to power our AI marketing platform, services, and communications. We have taken care to ensure that all our subprocessors are compliant with data protection regulations, including the GDPR.

For a full, up-to-date list of our subprocessors and to understand what we use them for, please see our Subprocessors page.

View our list of subprocessors

Additional details

Toffu is a business AI marketing platform that connects to your marketing stack and acts on it. Through a single chat interface, Toffu runs and optimizes campaigns across Google, Meta, and LinkedIn, merges performance data across platforms, generates and publishes content, and produces reporting and analytics on demand.

Privacy

Toffu collects limited personally identifiable information necessary to deliver our marketing AI services. We prioritize data minimization and do not collect credit card information or personal health information at any time as part of our service. Our platform is designed to help you create effective marketing while respecting user privacy.

Frequently Asked Questions

How does the connection work and where is the information stored?

Toffu connects to your marketing platforms through secure API integrations and OAuth authentication. Your data is stored in our enterprise-grade cloud infrastructure under our SOC 2 Type II controls.

What the system actually does: Our AI analyzes your marketing content, campaigns, and performance data to provide insights, optimization recommendations, and automated content generation while maintaining complete data isolation between clients.

What information is transferred to Toffu and what type is it?

We only access the marketing data you explicitly authorize, which typically includes campaign performance metrics, budgets, content assets, audience insights, and marketing analytics.

Is the information exposed to other providers?

No. Your data is never shared with third parties or other clients. We use select subprocessors (like cloud infrastructure providers) solely for technical service delivery, but they have no access to your actual marketing data or content. All data processing occurs within our secure, isolated environment.

If I want to cancel the service, is the information deleted immediately?

Upon service cancellation, your data is scheduled for deletion within 30 days. This grace period ensures you can reactivate your account if needed and allows for proper data cleanup procedures. After 30 days, all your data is permanently and irreversibly deleted from our systems.

Can I receive my data before deletion?

Yes, absolutely. You can request a complete export of your data at any time during your subscription or within the 30-day grace period after cancellation. We provide data exports in standard formats (JSON, CSV) and can accommodate specific format requests. This ensures you maintain full control over your marketing data and insights.

Contact Us

If you have any questions or concerns about our security practices or policies, please contact us at:

security@toffu.ai