T
TopoTrust Center

Topo

Topo is an AI-powered outbound prospecting platform for B2B revenue teams. Our agents automate research, qualification and multichannel outreach — built with security, privacy and compliance as first-class concerns.

security@topo.ioPrivacy Policy

Compliance

Controls

89 controls verified

Access Control & Authentication

  • OAuth 2.0 / PKCE authentication flow
  • JWT access token validation
  • MFA enforced on all internal tools

+11 more

Network & Infrastructure

  • Cloudflare WAF with OWASP ruleset
  • DDoS protection & rate limiting
  • Bot management at edge layer

+11 more

Data Protection

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • HTTPS enforced (HTTP redirect)

+7 more

Change Management & SDLC

  • Formal SDLC methodology
  • Changes authorized, documented & tested
  • Pull request approval required (author ≠ reviewer)

+6 more

Privacy by design

Why you're in a safe & compliant place

Topo was architected from the ground up with privacy-by-design and data-minimization principles. Our infrastructure, data sourcing and AI workflows are deliberately structured to ensure full GDPR compliance while minimizing regulatory exposure for our customers.

Not a data provider

Topo does not sell, resell or commercialize raw datasets. We are an orchestration layer on top of compliant, customer-authorized sources (Cognism, FullEnrich, Exa, Linkup, Theirstack and other data providers).

Company-centric, not personal profiling

We process company signals (industry, funding, hiring, tech stack) and strictly business contact data — no Article 9 GDPR categories, no consumer data, no shadow profiling.

Clear GDPR role separation

Customers remain the data controllers; Topo acts as processor. Every engagement is framed by a DPA defining scope, retention, security and processing boundaries.

Data minimization by design

Raw data is transformed into derived signals — scores, flags, embeddings. We capture aggregated, anonymized performance metrics, not personal records.

AI without personal data leakage

No foundation model training on customer data. No cross-tenant contamination. Adaptation happens via RAG and prompt-level conditioning, never through shared weights.

Enterprise-grade infrastructure

Strict tenant isolation, encryption at rest and in transit, hardened secrets vaults, full audit trails, and SOC 2 controls continuously monitored via Vanta.

Lawful outbound by default

Native guardrails: suppression lists, volume throttling, centralized contact tracking, automated opt-out handling and CRM sync — aligned with ePrivacy and GDPR Article 21.

Built for regulatory durability

No scraping of private accounts, no shadow profiling, no enrichment of sensitive attributes, no resale of data assets. Deliberately outside regulatory gray zones.

Architecture

How Topo is built

Topo runs on a multi-tenant cloud architecture on Render's managed PaaS, behind Cloudflare CDN + WAF with DDoS protection and OWASP rate-limiting at the edge. All traffic is TLS 1.3 end-to-end.

The application layer (Next.js SSR, FastAPI, Temporal workers) runs inside a private VPC with a zero-trust service mesh. JWT validation, RBAC middleware and input sanitization gate every API call; secrets are env-scoped and auto-rotated through Doppler with full audit logging.

Data lives in dedicated VPCs: Neon serverless PostgreSQL (TLS, IP allowlist) and Redis (TLS, AUTH) for rate-limiting and cache, reachable only via private links. Workflow orchestration runs in Temporal Cloud with mTLS + namespace ACLs. Observability flows through a Datadog agent with PII scrubbing and log redaction.

Sent by email after manual approval.