Data privacy is our top priority
Trusaic has implemented and maintains a comprehensive information security program that contains administrative, technical, and physical safeguards to secure your data that are consistent with all data protection laws, including but not limited to EU/UK GDPR, applicable federal and state law, including, but not limited to, California Consumer Privacy Act (collectively, "Data Protection Laws").
Trusaic's data protection strategy framework
Trusaic encrypts all data in transit and at rest using secure, up-to-date protocols and key lengths.
- Encryption in motion: TLS 1.2+
- Encryption at rest: AES-256+ disk encryption
- Encryption keys are properly secured using Microsoft-managed keys
Trusaic protects your data in our data centers
Your data is protected, both from physical and environmental threats.
- Trusaic's workplace equity platform is hosted on Microsoft Azure: Cloud Computing Services
- Customer data is physically protected by Trusaic's cloud hosting provider which is SOC 2 and ISO27001 certified
- Environmental protections against fire, moisture, and loss of power or connectivity
Trusaic requires unique user accounts and multi-factor authentication for all our software solutions.
Our access controls include:
- Role-based access
- Access by the Trusaic team to the databases is on a need-to-know basis, following the principle of least privilege
- Access is removed promptly when no longer required
- Access rights reviews, approvals and tracking
Trusaic has a comprehensive logging infrastructure in place across our software solutions and systems to assist clients in monitoring user activity.
- Trusaic logs all users and network activity and responds to alerts of any abnormal activity
- Firewalls and host-based intrusion detection are in place
- Logs are reviewed weekly and on alert
- Security logs are retained indefinitely and all other logs for 90 days
We stand by our data security
Trusaic undergoes independent security auditing, vulnerability scanning, and penetration testing. Trusaic's software solutions undergo continuous vulnerability scanning and annual external application penetration testing. As part of the software development life cycle, the software solutions undergo industry standard quality assurance and regression testing.
In addition to Trusaic's information security program and application scanning and testing, Trusaic benefits from Microsoft's Azure cloud platform, a world class physical and environmental security. For more information on Azure's security certifications see here.
Industry-standard security evaluation
- Every year, Trusaic undergoes an independent audit of all five Trust Services Principles - security, privacy, confidentiality, availability, and processing integrity - conducted by BDO, LLP as part of our SOC 2 Type II certification process
- A copy of the report is available to clients upon request
- Trusaic is in the process of obtaining ISO 27001 certification, which is an internationally recognized standard for information security management systems
Vulnerability scanning and penetration
- Continuous vulnerability scanning is integrated into our CI pipeline and annual external application penetration testing is conducted