Trusaic GDPR
Compliance

Trusaic GDPR
Compliance

International data transfers

Trusaic has implemented the following two mechanisms for international data transfers.

Mechanism 1

The EU-U.S. Data Privacy Framework (DPF)

The DPF establishes a binding adequacy decision. EU supervisory authorities must accept the adequacy decision as creating a valid mechanism for EU-U.S. data transfers in compliance with the transfer provisions of the GDPR. Trusaic maintains a certification under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), (including the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework). For companies certified to the DPF, a transfer impact assessment (TIA) is not required. A TIA is a formal risk assessment to assess all applicable privacy risks and mitigating safeguards relating to those risks. Our customers can find the link to the DPF certification list here. We will maintain the certification throughout the term of any client agreement.

Mechanism 2

Standard Contractual Clauses

  • Trusaic routinely implements standard contractual clauses through its data processing addendum available here.
  • Trusaic utilizes the European Commission's Standard Contractual Clauses (Commission Implementing Decision 2021/914 of 4 June 2021) (SCCs). The SCCs are a widely used safeguarding tool for international transfers. The 2021 SCCs are in a template format approved by the European Commission so there is very little need to make changes. Under the 2021 SCCs, the responsibility for conducting TIAs primarily sits with the data exporter. Trusaic provides resources to assist customers in performing TIAs in connection with their use of Trusaic's software-as-a-service application.

Trusaic's data protection strategy framework

lock

Encryption

Trusaic encrypts all data across our systems in transit and at rest using secure, up-to-date protocols and key lengths.

  • Encryption in motion: TLS 1.2+
  • Encryption at rest: AES-256+ disk encryption
  • Encryption keys are properly secured using Microsoft-managed keys
health_and_safety

Trusaic protects data in our data centers

Your data is protected, both from physical and environmental threats.

  • Trusaic’s workplace equity platform is hosted on Microsoft Azure: Cloud Computing Services
  • Customer data is physically protected by Trusaic’s cloud hosting provider which is SOC 2 and ISO27001 certified
  • Environmental protections against fire, moisture, and loss of power or connectivity
supervisor_account

Access control

Trusaic requires unique user accounts and multi-factor authentication for all our software solutions.

  • Role-based access
  • Access by the Trusaic team to the databases is on a need-to-know basis, following the principle of least privilege
  • Access is removed promptly when no longer required
  • Access rights reviews, approvals and tracking
sync_alt

Comprehensive logging

Trusaic has a comprehensive logging infrastructure in place across our software solutions and systems to assist clients in monitoring user activity.

  • Trusaic logs all users and network activity and responds to alerts of any abnormal activity
  • Firewalls and host-based intrusion detection are in place
  • Logs are reviewed weekly and on alert
  • Security logs are retained indefinitely and all other logs for 90 days
Security Shield 2

We stand by our data security

Trusaic undergoes independent security auditing, vulnerability scanning, and penetration testing. Trusaic's software solutions undergo continuous vulnerability scanning and annual external application penetration testing. As part of the software development life cycle, the software solutions undergo industry standard quality assurance and regression testing.

In addition to Trusaic's information security program and application scanning and testing, Trusaic benefits from Microsoft's Azure cloud platform, a world class physical and environmental security. For more information on Azure's security certifications see here.

Industry-standard security evaluation

  • Annual SOC 2 Type II audit conducted by BDO, LLP, an independent auditor of all five trust services principles including; security, privacy, confidentiality, availability and processing integrity
  • A copy of the report is available to clients upon request
  • Trusaic is in the process of obtaining ISO 27001 certification, which is an internationally recognized standard for information security management systems

Vulnerability scanning and penetration

  • Continuous vulnerability scanning is integrated into our CI pipeline and annual external application penetration testing is conducted

Data security FAQ

Interested in learning about Trusaic software and services?

Trusaic is Trusted and Partnered with HCM Global Leaders