Data privacy is our top priority
Trusaic has implemented and maintains a comprehensive information security program that contains administrative, technical, and physical safeguards to secure your data that are consistent with all data protection laws, including but not limited to EU/UK GDPR, applicable federal and state law, including, but not limited to, California Consumer Privacy Act (collectively, "Data Protection Laws").
Trusaic's data protection strategy framework
Trusaic encrypts all data in transit and at rest using secure, up-to-date protocols and key lengths.
- Encryption in motion: TLS 1.2+
- Encryption at rest: AES-256+ disk encryption
- Encryption keys are properly secured using Microsoft-managed keys
Trusaic protects your data in our data centers
Your data is protected, both from physical and environmental threats.
- Trusaic's workplace equity platform is hosted on Microsoft Azure: Cloud Computing Services
- Customer data is physically protected by Trusaic's cloud hosting provider which is SOC 2 and ISO27001 certified
- Environmental protections against fire, moisture, and loss of power or connectivity
Trusaic requires unique user accounts and multi-factor authentication for all our software solutions.
Our access controls include:
- Role-based access
- Access by the Trusaic team to the databases is on a need-to-know basis, following the principle of least privilege
- Access is removed promptly when no longer required
- Access rights reviews, approvals and tracking
Trusaic has a comprehensive logging infrastructure in place across our software solutions and systems to assist clients in monitoring user activity.
- Trusaic logs all users and network activity and responds to alerts of any abnormal activity
- Firewalls and host-based intrusion detection are in place
- Logs are reviewed weekly and on alert
- Security logs are retained indefinitely and all other logs for 90 days
We stand by our data security
Trusaic undergoes independent security auditing, vulnerability scanning, and penetration testing. Trusaic's software solutions undergo continuous vulnerability scanning and annual external application penetration testing. As part of the software development life cycle, the software solutions undergo industry standard quality assurance and regression testing.
In addition to Trusaic's information security program and application scanning and testing, Trusaic benefits from Microsoft's Azure cloud platform, a world class physical and environmental security. For more information on Azure's security certifications see here.
Industry-standard security evaluation
- Annual SOC 2 Type II audit conducted by BDO, LLP, an independent auditor of all five trust services principles including; security, privacy, confidentiality, availability, and processing integrity
- A copy of the report is available to clients upon request
Vulnerability scanning and penetration
- Continuous vulnerability scanning is integrated into our CI pipeline and annual external application penetration testing is conducted