03 · legal

Security.

We take a deliberate posture on where user data lives. This page names it plainly.

Architecture, at a glance.

Memory

The memory card that holds each Tomoni user's identity lives on-device, in iOS UserDefaults, and syncs to the user's own private iCloud account. It does not transit or persist on exp² infrastructure.

Messages

Conversations between the user and Tomoni are held on-device. They are not uploaded to or stored on exp² servers.

OAuth tokens

Credentials for connected accounts (Gmail, Outlook, Slack, iCloud Mail, etc.) are stored in the iOS Keychain on-device. They are not uploaded to exp² servers.

Server-side

We retain only what is required to operate the service: account identifier, onboarding profile, and rate-limit metadata. No message content. No memory content.

Transit

All network traffic uses TLS. Our edge functions forward prompts to the AI model provider but do not persist them.

Third parties

We use Anthropic's Claude API to generate responses and Supabase to host our account system. Their handling of traffic is governed by their own security policies.

Encryption

On-device data is protected by iOS file-system encryption and the Keychain. Server-side data is protected by Supabase's encryption-at-rest and row-level security policies.

What this means in practice.

When Tomoni remembers something about you, that memory lives on your phone. When she speaks with an AI to generate a response, the prompt travels to the AI provider and back — through our infrastructure, but not into it. If you delete Tomoni, the memory card deletes with her. If you delete your exp² account, the small amount of account data we hold is deleted from our servers.

Our posture is deliberate: what we don't hold, we can't lose, can't leak, and can't be subpoenaed for. The less user data lives on our servers, the safer the user is, and the safer we are.

Reporting a vulnerability.

If you believe you've found a security vulnerability in Tomoni, exp² RCI, or any exp² product, please write to contact@exp2.io with as much detail as you can provide. We'll respond as quickly as we can, work with you to confirm and address the issue, and credit you appropriately. We do not currently run a formal bug bounty program but we take security reports seriously.

What we are still formalizing.

exp² is an early-stage company. We are in the process of formalizing SOC 2, a full penetration-test cycle, and a comprehensive third-party audit. Until those are complete, we will not claim them. We will share the results with partners under NDA as the program matures. For businesses evaluating exp² RCI as infrastructure, we are happy to go into the above in more detail on a briefing call.

Last updated: April 2026