How We Protect Your Data
As a trust readiness platform, we hold ourselves to the same standards we measure. Here's how we protect the data you entrust to us.
Encryption
All data is encrypted in transit using TLS 1.3. Data at rest is encrypted via AES-256 through our hosting provider (Render), which runs on AWS infrastructure. Database connections use SSL. Backups are encrypted. API keys and secrets are stored using environment-level encryption and are never committed to source control.
Infrastructure & Hosting
TrustSignal is hosted on Render, which runs on AWS infrastructure in the US region. Render provides managed TLS certificates, DDoS protection, and automatic failover. Our PostgreSQL database is hosted on Render with automated daily backups, point-in-time recovery, and encrypted storage. All services run in isolated containers with no shared tenancy.
Access Controls
Access to production systems is restricted to authorized personnel only using role-based access control (RBAC) with the principle of least privilege. Multi-factor authentication (MFA) is required for all administrative access. API authentication uses JWT tokens with configurable expiry. Team members have granular role-based permissions (owner, admin, member, viewer) controlling access to sites, scans, and settings.
Monitoring & Logging
Application logs are captured and rotated automatically. We monitor for errors, performance anomalies, and unusual access patterns. Database queries are logged in development for debugging. Health check endpoints provide real-time service status. Our public status page at status.trustsignal.tech provides operational transparency.
Incident Response
We maintain an incident response process for security events. In the event of a confirmed data breach, we will notify affected customers within 72 hours via email, consistent with GDPR requirements. Our incident response includes: identification, containment, eradication, recovery, and post-incident review. Security incidents are documented and reviewed to prevent recurrence.
Data Handling & Retention
TrustSignal only processes publicly accessible information — we never access authenticated or private systems. Scan data is retained for the duration of your subscription. Account data is retained for 30 days after account deletion. You may request full data export or deletion at any time by contacting support@trustsignal.tech. We do not sell, share, or use customer data for training AI models. Our subprocessors are listed at trustsignal.tech/subprocessors.
Backup & Disaster Recovery
Database backups run daily with 7-day retention. Point-in-time recovery is available for the most recent 7 days. Our application is deployed with zero-downtime deployments. In the event of a regional outage, Render provides infrastructure-level failover capabilities. We target 99.9% uptime as documented in our Terms of Service.
Employee Security
All team members with access to production systems undergo security awareness training. Access is granted on a need-to-know basis. Offboarding procedures include immediate revocation of all system access. We use separate development and production environments to prevent accidental data exposure.
Vulnerability Disclosure
We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to security@trustsignal.tech. We commit to acknowledging reports within 48 hours and providing a resolution timeline within 5 business days. Our security.txt file is available at trustsignal.tech/.well-known/security.txt. We do not pursue legal action against researchers acting in good faith.
Compliance & Frameworks
TrustSignal aligns its security practices with industry frameworks including NIST Cybersecurity Framework and OWASP guidelines. We implement security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) across all web properties. SPF, DMARC, and DKIM are configured for email authentication. We are evaluating SOC 2 Type II certification as part of our compliance roadmap.
Application Security
Our application implements: rate limiting on all API endpoints, input validation and sanitization, CSRF protection, SQL injection prevention via parameterized queries, XSS protection via Content-Security-Policy headers, secure session management with configurable JWT expiry, and IP-based rate limiting on public scan endpoints. Authentication supports MFA via TOTP (time-based one-time passwords).
Third-Party Security
We carefully evaluate all third-party services (subprocessors) before integration. Each subprocessor has been evaluated for security practices, data handling, and compliance posture. Our current subprocessors are documented at trustsignal.tech/subprocessors. We use Stripe for payment processing — we never store credit card numbers on our servers. AI analysis is performed via API calls to Anthropic and xAI with no customer data used for model training.
Questions About Our Security?
We're transparent about our practices. Reach out anytime.
Last updated: March 2026 · PrAry Soft LLC · Cumming, Georgia