TrustStrike Labs / Trust / Security

Security

How we protect customer data. Infrastructure, encryption, development practices, and compliance - written plainly, reviewed regularly, and open to scrutiny.

1Our commitment

Security is the foundation of the platform, not a feature added to it. Every layer - infrastructure, application, data, operations - is designed with the assumption that an attacker is trying to defeat it.

We treat customer data as confidential by default: isolated per customer, encrypted end to end, and never used to train models or shared outside the vetted sub-processors listed in our privacy documentation.

2Infrastructure

The service runs on top-tier cloud providers with data residency and edge protection appropriate for regulated customers.

  • HostingAWS and GCP inside isolated VPCs. Production workloads are segregated from staging and internal environments.
  • Data residencyPrimary data centres in the EU (Ireland and Germany) to satisfy sovereignty requirements for European customers.
  • Edge protectionMulti-layered DDoS mitigation and a Web Application Firewall enforced at the edge before traffic reaches the application.

3Data encryption

All customer data is encrypted both at rest and in transit, with logical isolation between tenants.

  • At restAES-256 encryption for all database records, object storage, and backup snapshots. Keys are rotated on a defined schedule and managed by the cloud KMS.
  • In transitTLS 1.3 enforced for every byte between your browser and our servers, and between internal service boundaries.
  • Tenant isolationLogical single-tenant data isolation prevents cross-customer leakage at the application and query layer.

4Product & development

Security is integrated into how we build and ship, not tacked on before release.

  • Secure SDLCSecurity review on every code commit and every architectural change. Threat modelling is required for new external surfaces.
  • Continuous scanningAutomated SAST, DAST, and dependency scanning run on every build. Critical findings block merges until resolved.
  • Penetration testingAnnual third-party penetration tests against the production surface. Executive summaries are available on request to qualified prospects.

5Operational security

Production access is tightly controlled, continuously logged, and tested against real recovery scenarios.

  • Zero trust accessIdentity-aware access control via Cloudflare Zero Trust. No static VPN, no shared credentials - every request is authenticated and authorised.
  • SSO & MFAMandatory for all employees, contractors, and vendor accounts. No exceptions, no bypass groups.
  • Backups & resilienceDaily encrypted backups with 30-day retention and quarterly recovery drills against documented RTO and RPO targets.

6Compliance

We hold ourselves to frameworks your procurement and legal teams already recognise.

FrameworkScopeStatus
GDPRFull compliance with EU data protection standards. We act as a Data Processor.Active
ISO/IEC 27001:2022Aligned with the international information security management standard.Aligned
SOC 2 Type IISecurity, Availability, and Confidentiality trust criteria.Planned 2027/28

7Security contact

For security documentation (SOC 2 status, penetration test summaries, DPA templates) or to report a vulnerability, contact the addresses below.

Request documents Report a vulnerability