TrustRelay
Book a demo

Security & Compliance

TrustRelay operates with defense-in-depth security principles and a transparent compliance roadmap. We protect sensitive financial data, maintain audit trails, and pursue certifications that matter to enterprise finance teams.

Core Security Principles

๐Ÿ”

Least Privilege Access

All users, services, and integrations operate with the minimum permissions required. Role-based access controls (RBAC) ensure segregation of duties across tenant operations.

๐Ÿ”’

Encryption Everywhere

Data is encrypted at rest (AES-256) and in transit (TLS 1.3+). Sensitive fields like bank account details are encrypted with field-level encryption and access is logged.

๐Ÿ“‹

Immutable Audit Logs

Every decision, policy change, and payout is logged immutably in the Evidence Vault. Logs are tamper-evident, timestamped, and retained for compliance and forensic purposes.

๐Ÿ›ก๏ธ

Defense in Depth

Multiple layers of security controls protect data and operations: network segmentation, WAF, DDoS mitigation, intrusion detection, and continuous vulnerability scanning.

Compliance Roadmap

TrustRelay is committed to achieving and maintaining certifications that demonstrate operational maturity and align with enterprise security standards.

M0Foundation

SOC 2 Type II Readiness

  • Security policies and procedures documented
  • Access controls and encryption implemented
  • Audit logging infrastructure deployed
  • Incident response plan established
  • Third-party security assessments initiated
M1Repeatability

SOC 2 Type II Certification

  • Complete SOC 2 Type II audit and certification
  • Annual SOC 2 renewal process established
  • ISO 27001 gap assessment and planning
  • Continuous compliance monitoring tools deployed
  • Customer audit support workflows defined
M2Scale Engine

ISO 27001 & FedRAMP Moderate

  • ISO 27001 certification achieved
  • FedRAMP Moderate authorization in progress (if targeting federal agencies)
  • Regional compliance (GDPR, CCPA) fully implemented
  • Multi-tenant isolation audited and verified
  • Business continuity and disaster recovery tested
M3Category Proof

PCI DSS Level 1 & Global Standards

  • PCI DSS Level 1 certification (if processing card data at scale)
  • Regional certifications (e.g., TISAX for automotive, HITRUST for healthcare)
  • Global expansion compliance (APAC, EMEA, LATAM)
  • Zero-trust architecture fully implemented
  • Continuous compliance automation at scale

Data Protection Practices

Encryption at Rest

All data stored in databases, object storage, and backup systems is encrypted using AES-256. Encryption keys are managed through AWS KMS with automated rotation.

Encryption in Transit

All network traffic is encrypted using TLS 1.3 or higher. API endpoints require HTTPS, and internal service-to-service communication uses mutual TLS (mTLS).

Access Controls

Multi-factor authentication (MFA) is required for all user accounts. API access uses short-lived tokens with scoped permissions. Access is logged and monitored continuously.

Data Residency

Customer data is stored in AWS regions selected by the tenant. Cross-region replication and backup strategies respect data residency requirements.

Data Retention

Audit logs and evidence snapshots are retained for 7 years by default (configurable per tenant). Transactional data retention follows regulatory requirements.

Data Deletion

Customers can request data deletion per GDPR/CCPA. Deletion is performed securely with cryptographic erasure of encryption keys and physical media destruction where applicable.

Availability & Service Level Objectives

TrustRelay is designed for high availability and operational transparency. We publish SLO targets and incident response commitments.

99.9%

Platform Availability

Core API services and decision engine maintain 99.9% uptime SLO (measured monthly). We deploy redundant infrastructure across multiple availability zones.

< 2s

Decision Latency

Payout decisions complete in under 2 seconds at the 95th percentile. Policy evaluation and risk scoring are optimized for real-time use cases.

< 1h

Incident Response Time

Critical incidents are acknowledged within 15 minutes and resolved within 1 hour. Customers receive real-time status updates via status page and email.

24/7

Support Coverage

Enterprise customers receive 24/7 support with dedicated Slack channels and named technical account managers. On-call engineering support for critical incidents.

Incident Transparency

TrustRelay operates with full transparency during incidents. We publish postmortems, root cause analyses, and corrective actions for all customer-impacting events.

Public Status Page

Real-time system status is available at status.trustrelay.co. Customers can subscribe to incident notifications via email, Slack, or webhook.

Postmortem Process

Every incident receives a blameless postmortem within 48 hours. We publish root cause, timeline, impact analysis, and corrective actions to affected customers.

Security Incident Response

Security incidents follow our IR playbook: containment within 15 minutes, notification within 24 hours (or per contract SLA), and forensic analysis with third-party validation.

Request Security Documentation

Need SOC 2 reports, security questionnaires, or a deeper dive into our security practices? Our security team is ready to support your procurement and compliance review.

Contact Security Team