Security
Our Security Posture
TrustTrace is a security company. We hold ourselves to the same standard we assess in our clients.
Platform Security
Data in transit. All communication between your browser, our API, and our scan workers is encrypted using TLS 1.2 or higher.
Data at rest. Sensitive data is encrypted at rest in our managed database infrastructure.
Scan isolation. Uploaded configuration files are processed in isolated environments. Cross-customer data access is not possible by design.
Secret management. We do not store secrets in environment variable files or version control. All production secrets are managed through our cloud provider's secret management infrastructure.
Access controls. Access to production systems is limited to authorized personnel. All access is logged and reviewed.
Dependencies. We continuously scan our own dependencies for known vulnerabilities using the same OSV.dev integration we provide to our customers.
We Assess Ourselves
TrustTrace runs its own platform through TrustTrace assessments. We apply our full OWASP LLM Top 10 rule set to our own agentic components. Findings are tracked and remediated on the same timeline we recommend to clients.
Industry Framework Alignment
TrustTrace builds its rule library on established industry frameworks rather than proprietary threat models.
Our assessments align to:
OWASP LLM Top 10, all 10 categories across 46 rules.
CoSAI MCP Security threat taxonomy, January 2026, published by a working group including Anthropic, Google, IBM, Microsoft, and NVIDIA.
HIPAA security controls, 19 mapped controls.
SOC 2 Trust Services Criteria, 17 mapped criteria.
Responsible Disclosure
If you discover a security vulnerability in the TrustTrace platform or any TrustTrace-operated service, please report it to:
hello@trusttrace.io
Subject: Security Vulnerability Report
We commit to:
- Acknowledge your report within 48 hours
- Provide a status update within 7 days
- Not pursue legal action against good-faith security researchers
- Credit you in our changelog if you wish
Please do not publicly disclose the vulnerability before we have had a reasonable opportunity to investigate and remediate.
Compliance Roadmap
We are actively pursuing the following compliance milestones:
| Milestone | Status |
|---|---|
| Privacy Policy | ✅ Published |
| Internal Security Policy | ✅ Implemented |
| MSA + NDA + BAA Templates | ✅ Available on request |
| SOC 2 Type I | Planned, pre-SaaS launch |
| HIPAA Program | Planned, pre-enterprise launch |
| SOC 2 Type II | Planned, post-launch |
Enterprise clients requiring compliance documentation should contact hello@trusttrace.io.
Contact
Security reports: hello@trusttrace.io
General: hello@trusttrace.io