Trusaic GDPR Compliance

Trusaic GDPR
Compliance

Trusaic GDPR
Compliance

Data privacy is our top priority

Trusaic has implemented and maintains a comprehensive information security program that contains administrative, technical, and physical safeguards to secure your data that are consistent with all data protection laws, including but not limited to EU/UK GDPR, applicable federal and state law, including, but not limited to, California Consumer Privacy Act (collectively, "Data Protection Laws").

Trusaic's data protection strategy framework

Encryption

Trusaic encrypts all data in transit and at rest using secure, up-to-date protocols and key lengths.

Encryption in motion: TLS 1.2+
Encryption at rest: AES-256+ disk encryption
Encryption keys are properly secured using Microsoft-managed keys

Trusaic protects your data in our data centers

Your data is protected, both from physical and environmental threats.

Trusaic's workplace equity platform is hosted on Microsoft Azure: Cloud Computing Services
Customer data is physically protected by Trusaic's cloud hosting provider which is SOC 2 and ISO27001 certified
Environmental protections against fire, moisture, and loss of power or connectivity

Access control

Trusaic requires unique user accounts and multi-factor authentication for all our software solutions.

Our access controls include:

Role-based access
Access by the Trusaic team to the databases is on a need-to-know basis, following the principle of least privilege
Access is removed promptly when no longer required
Access rights reviews, approvals and tracking

Comprehensive logging

Trusaic has a comprehensive logging infrastructure in place across our software solutions and systems to assist clients in monitoring user activity.

Trusaic logs all users and network activity and responds to alerts of any abnormal activity
Firewalls and host-based intrusion detection are in place
Logs are reviewed weekly and on alert
Security logs are retained indefinitely and all other logs for 90 days

We stand by our data security

Trusaic undergoes independent security auditing, vulnerability scanning, and penetration testing. Trusaic's software solutions undergo continuous vulnerability scanning and annual external application penetration testing. As part of the software development life cycle, the software solutions undergo industry standard quality assurance and regression testing.

In addition to Trusaic's information security program and application scanning and testing, Trusaic benefits from Microsoft's Azure cloud platform, a world class physical and environmental security. For more information on Azure's security certifications see here.

Industry-standard security evaluation

Every year, Trusaic undergoes an independent audit of all five Trust Services Principles - security, privacy, confidentiality, availability, and processing integrity - conducted by BDO, LLP as part of our SOC 2 Type II certification process
A copy of the report is available to clients upon request
Trusaic is in the process of obtaining ISO 27001 certification, which is an internationally recognized standard for information security management systems

Vulnerability scanning and penetration

Continuous vulnerability scanning is integrated into our CI pipeline and annual external application penetration testing is conducted

Data security FAQ

What other efforts does Trusaic take to protect client data?

Trusaic's software solutions undergo continuous vulnerability scanning and annual external application penetration testing. As part of the software development life cycle, the software solutions undergo industry standard quality assurance and regression testing.

In addition to Trusaic's information security program and application scanning and testing, Trusaic benefits from Microsoft's Azure cloud platform's world-class physical and environmental security. For more information on Azure's security certifications see here.

Does Trusaic have service level commitment?

Can Trusaic act as your data processor?

Yes. We leverage the principles of privacy by design and by default. The Trusaic platform enables customers to honor data subjects' rights such as the right to access, correct, and delete data. We are also positioned to meet any local data retention and minimization requirements.

Trusaic is fully compliant with the new Standard Contract Clauses published by the European Commission and has created a standard Data Protection Agreement (DPA) contract addendum that can be incorporated into client agreements involving international data transfers. Trusaic is also in the process of rolling out EU data localization so that EU clients can choose to localize their data storage on EU data servers.

Does Trusaic support consent-based data processing?

Does Trusaic use data sub-processors?

There are limited situations where Trusaic will use data sub-processors. When we utilize subcontractors or sub-processors to perform tasks that require access to your data, they will only have access to the data necessary to perform the specific sub-function contracted for and they will always be bound by the same contractual privacy commitments as Trusaic.

A list of sub-processors and their contracted sub-functions is available upon request and will always be fully identified in any DPA or other privacy addendum to the agreement.

How does Trusaic respond to data requests?

Want to learn about Trusaic software?

Trusaic is Trusted and Partnered with HCM Global Leaders

1201615759260930.VxRtZXXcnWSvOcevKO03_height640

1201615759260924.rCztaYy15ICEqh13Qo7B_height640