Skip to content
TruthVouch Docs

Security & Compliance Overview

Security is foundational to TruthVouch. We protect your data, enforce strict isolation, and maintain certifications proving our commitment to security and compliance.

Security Posture

TruthVouch is built with defense-in-depth architecture:

Data Protection

  • At Rest: AES-256 encryption (FIPS 140-2)
  • In Transit: TLS 1.3 (HTTPS everywhere)
  • In Memory: Data structures cleared on use
  • Key Management: Hardware security modules (HSM) with automatic rotation

Multi-Tenant Isolation

  • Row-Level Security: Database enforces tenant filtering
  • Separate Schemas: Each tenantโ€™s data isolated in PostgreSQL schemas
  • JWT-Based: Every request validated and tenant-filtered
  • Network Isolation: VPC isolation between tenants

Network Security

  • WAF (Web Application Firewall): CloudFlare DDoS protection
  • Rate Limiting: Per-IP, per-API-key, per-tenant quotas
  • VPC: Private subnets for database and internal services
  • Secrets Management: AWS Secrets Manager with automatic rotation

Certifications & Compliance

SOC 2 Type II

Audited and certified for:

  • Security (access controls, encryption, monitoring)
  • Availability (99.9% uptime SLA)
  • Processing Integrity (data accuracy and integrity)
  • Confidentiality (data confidentiality controls)
  • Privacy (GDPR-like data handling)

Current Status: Active, annual audit completed Request Access: Contact support@truthvouch.com

GDPR Compliance

Full GDPR compliance including:

  • Data Processing Agreement (DPA)
  • Sub-processors list
  • Data Subject Rights (access, erasure, portability)
  • Breach Notification (within 72 hours)
  • Data Residency options (EU, US, custom)

ISO 42001 (AI Management)

Working toward ISO 42001 certification covering:

  • AI system governance
  • Risk management
  • Human oversight
  • Transparency and documentation
  • Incident management

Target: Certification by Q3 2024

Security Features

Encryption

At Rest:

  • Database: AES-256 (encrypted volumes)
  • Backups: AES-256 with separate keys
  • Logs: AES-256 with long-term key retention

In Transit:

  • All APIs: TLS 1.3 minimum
  • All webhooks: Signed with HMAC-SHA256
  • All SDKs: Built-in TLS verification

Authentication & Authorization

  • API Keys: Scoped, rotatable, rate-limited
  • OAuth 2.0: For user authentication
  • SAML/OIDC: For enterprise SSO
  • MFA: TOTP and WebAuthn support
  • SCIM: User provisioning for Okta, Azure AD

Audit & Monitoring

  • Immutable Audit Trail: Hash-chained logs (SHA-256)
  • Real-Time Alerting: Security incidents alert within 1 minute
  • SIEM Integration: Splunk, Datadog, etc.
  • Log Retention: 7 years for compliance

Penetration Testing

  • Annual Third-Party Testing: Authorized pentest by certified firm
  • Bug Bounty Program: Responsible disclosure with rewards
  • Continuous Scanning: OWASP Top 10 automated scans

Compliance Frameworks

TruthVouch helps you comply with:

FrameworkRegionCoverage
GDPREUData protection, DPA, breach notification
EU AI ActEUTransparency, incident reporting (Art. 73)
HIPAAUS HealthcareCovered entity requirements
SOC 2US/GlobalSecurity, availability, confidentiality
ISO 42001GlobalAI management systems
CCPA/CPRAUS (California)Data subject rights
LGPDBrazilBrazilian privacy requirements
PIPEDACanadaCanadian privacy law

Data Residency

Choose where your data is stored:

  • US (Default): AWS us-east-1 (Virginia)
  • EU: AWS eu-west-1 (Ireland)
  • Segregated: Your own AWS account (Enterprise)
  • On-Premises: Self-hosted option (Enterprise)

Incident Response

Our Commitment:

  • Detection: <1 minute via automated monitoring
  • Notification: <1 hour to affected customers
  • Response: Incident response team engaged immediately
  • Resolution: SLA-driven (varies by severity)

Severities:

  • Critical: <15 min to mitigation
  • High: <1 hour to mitigation
  • Medium: <4 hours to mitigation
  • Low: <24 hours to mitigation

Trust & Transparency

We believe security is earned through transparency:

  • Status Page: Real-time status at status.truthvouch.com
  • Security Reports: Available on request for Enterprise customers
  • Roadmap: Public security improvements at roadmap.truthvouch.com
  • Blog: Security updates and best practices

Next Steps

  • Data Handling: Learn about encryption and data protection
  • Multi-Tenancy: Understand isolation mechanisms
  • GDPR: Review data processing agreement
  • SOC 2: Request our SOC 2 Type II report
  • Disclosure: Learn how to report security vulnerabilities