Security
TruthVouch is built with security and compliance as foundational principles. We protect your data using industry best practices and are working toward industry compliance certifications.
Security Overview
Certifications & Standards
- SOC 2 Type II — Architecture designed for compliance (audit planned)
- GDPR Compliant — EU data processing with standard contractual clauses
- HIPAA Ready — Healthcare data handling for regulated industries
- ISO 27001 — Information security management practices aligned
- PCI DSS — Secure payment card processing
Data Protection
- Encryption at Rest: AES-256 for all stored data
- Encryption in Transit: TLS 1.2+ for all communication
- Tokenization: Payment card data handled by PCI-certified providers
- Key Management: Hardware security module (HSM) backed key storage
Infrastructure Security
- DDoS Protection: CloudFlare and AWS Shield
- Firewalls: Network segmentation and WAF rules
- Intrusion Detection: 24/7 monitoring and alerting
- Vulnerability Scanning: Automated weekly scans + manual penetration testing
- Multi-AZ Deployment: Automatic failover and disaster recovery
Access Control
- Multi-Factor Authentication (MFA): Mandatory for all users
- Role-Based Access Control (RBAC): Principle of least privilege
- Single Sign-On (SSO): OAuth 2.0 with enterprise providers
- Audit Logging: All access logged with immutable records
Compliance & Regulations
| Framework | Status | Details |
|---|---|---|
| GDPR | Compliant | EU data centers, DPA included, data transfer mechanisms |
| HIPAA | Ready | BAA available, encryption, audit controls |
| SOC 2 Type II | Planned | Architecture designed for SOC 2 compliance |
| CCPA | Compliant | California privacy rights implemented |
| NIST AI RMF | Aligned | Risk management practices documented |
Key Documents
- Responsible Disclosure — How to report vulnerabilities securely
- Penetration Testing — Third-party audit results and scope
- SLA & Uptime — Availability guarantees and service credits
- Data Handling — How we manage and protect customer data
- GDPR — GDPR-specific rights and procedures
- Multi-Tenancy — Customer data isolation
- SOC 2 — Details of annual SOC 2 Type II audit
Security Incident Response
We take security incidents seriously and respond with:
- Immediate Containment (< 1 hour) — Isolate affected systems
- Investigation (< 24 hours) — Determine scope and impact
- Notification (< 24 hours) — Notify affected customers
- Remediation (< 72 hours) — Fix vulnerability and deploy patch
- Post-Mortem (< 7 days) — Root cause analysis and process improvements
Customers can contact support@truthvouch.com for incident status information.
How We Protect Your Data
During Collection
- TLS 1.2+ encryption in transit
- Input validation and sanitization
- Rate limiting on APIs
While Stored
- AES-256 encryption at rest
- Database-level encryption
- Regular automated backups
- Immutable audit logs
During Access
- Multi-factor authentication required
- Role-based access control
- Session timeouts (30 min)
- Endpoint protection on access devices
During Deletion
- Crypto-shred (key deletion without data overwrite)
- Database records deleted within 30 days
- Backup retention: 90 days
- Audit logs: 7 years (legal requirement)
Third-Party Security
We maintain security with third-party vendors:
- All sub-processors are contractually bound to equivalent security standards
- Regular audits of sub-processor compliance
- Incident notification required within 24 hours
- See Sub-Processors for complete list
Compliance Verification
Request Compliance Documentation
- SOC 2 Report: Available upon completion of audit (planned)
- Penetration Test: Summary available publicly
- Vulnerability Assessment: Results on demand
- Custom Audit: Contact enterprise sales
Contact: compliance@truthvouch.com
Audit Your Data
You have the right to audit:
- Our data handling practices (via request)
- Data stored about your account
- Access logs showing who accessed your data
- Deletion confirmation
Bug Bounty Program
We maintain a bug bounty program to identify and fix vulnerabilities:
- Scope: TruthVouch.com and APIs
- Rewards: $100 - $10,000 based on severity
- Process: See Responsible Disclosure
- Leaderboard: Top researchers recognized publicly
Security Updates
We regularly:
- Patch dependencies within 72 hours of disclosure
- Deploy security updates immediately for critical issues
- Notify customers of material security improvements
- Publish security advisories for tracked CVEs
Subscribe to security updates: notifications.truthvouch.com
Questions?
- Security Policy: security@truthvouch.com
- Incident Report: security@truthvouch.com
- Bug Bounty: bugs@truthvouch.com
- Compliance: compliance@truthvouch.com