TrustVerify AI Security & Trust Architecture

AUDIENCE: CISOs · Security Teams · Auditors | VERSION: 1.0 | UPDATED: 2026-06-20

Encryption

At Rest

AES-256-GCM for all stored data
Key management via AWS KMS with HSM backing
Automated key rotation every 90 days
Database-level encryption (TDE)

In Transit

TLS 1.3 for all API communications
TLS 1.2 minimum (1.0/1.1 rejected)
Certificate pinning for internal services
HSTS enforced on all public endpoints

Access Control

Authentication

OAuth 2.0 (client credentials + PKCE flows)
MFA required for all admin and console access
Session timeout: 15 minutes inactivity
API keys scoped to specific permissions
Separate keys per environment (prod/staging/dev)

Authorization

Role-based access control (RBAC)
Principle of least privilege enforced
Organization-level data isolation (no cross-tenant)
Audit log for all permission changes
Automated access review every 90 days

Data Handling

Core Commitment: TrustVerify AI does NOT retain customer data content — no documents, conversations, AI outputs, or business data. We retain only metadata: vendor names, API endpoints, score calculations, alert records. Your data stays with you.

What We Collect

Vendor names, categories, API endpoints
Score calculations and score history
Alert metadata (type, severity, timestamp)
Policy definitions and enforcement records
Webhook delivery receipts

What We Never Collect

Customer data content (documents, messages)
AI vendor outputs or responses
User PII beyond work email
Network traffic payload content
Vendor proprietary configurations

Data Residency & Retention

Residency: US-East-1 by default. EU-West-1 available for European customers (GDPR compliance).
Audit trail retention: 7 years, immutable, for compliance and legal hold purposes.
Transient processing data: Purged within 90 days.
Contract termination: All customer data deleted within 30 days. Deletion certificate provided on request.

Infrastructure

Cloud Platform

AWS infrastructure, SOC 2 Type II certified data centers
Network segmentation: prod / staging / dev isolated
DDoS protection via AWS Shield Advanced
CDN via CloudFront with WAF rules

Detection & Prevention

IDS/IPS via AWS GuardDuty
Weekly automated vulnerability scanning
Quarterly manual penetration testing
Dependency scanning on every CI build

Incident Response

Critical / Breach

4-hour response. Customer notified within 24 hours. Incident commander assigned immediately.

High Severity

24-hour response. Customer notified within 48 hours if data impacted.

Standard

72-hour response. Addressed in normal operational cycle.

All incidents logged with full forensic preservation. Logs retained 7 years. Post-incident reports available to Enterprise customers within 30 days of closure.

Compliance Roadmap

Framework	Status	Target	Notes
GDPR	✓ COMPLIANT	Now	Data minimization, right to deletion, portability implemented
CCPA	✓ COMPLIANT	Now	Disclosure, opt-out, deletion flows active
HIPAA BAA	✓ AVAILABLE	Now	Business Associate Agreement available for healthcare customers
SOC 2 Type II	⦿ IN PROGRESS	Q4 2026	Audit initiated Q3 2026. Evidence collection underway.
ISO 27001	⊚ PLANNED	Q2 2027	Following SOC 2 completion
FedRAMP	⊚ PLANNED	Q4 2027	Government track. Sponsor agency identification in progress.

Privacy Commitments

We collect only metadata necessary for scoring — no customer content.
We do not sell or share data with third parties for marketing purposes.
We support data portability: export all your data within 48 hours of request.
We support right to deletion: all data purged within 30 days of request.
We do not use customer data to train models without explicit written consent.
We publish an annual transparency report (government data requests, confirmed security incidents).
Encryption: AES-256 at rest, TLS 1.3 in transit. Insurance: $5M E&O coverage. US-based (NC).

TrustVerify AI Security & Trust Architecture

Encryption

At Rest

In Transit

Access Control

Authentication

Authorization

Data Handling

What We Collect

What We Never Collect

Data Residency & Retention

Infrastructure

Cloud Platform

Detection & Prevention

Incident Response

Compliance Roadmap

Privacy Commitments

Questions About Our Security Posture?