Legal
Security Overview
Last updated May 18, 2026
1. Encryption
• In transit: TLS 1.2+ enforced on all customer-facing endpoints; HSTS preloaded; modern ciphers only. • At rest: AES-256 for the primary database, object storage, and backups. • Key management: managed via the cloud provider's KMS with rotation every 12 months. • BYOK is available on Enterprise plans — customers supply a KMS key and TrustekAI envelope-encrypts row-level secrets with it.
2. Access controls
• All employee access to production systems requires MFA and is scoped by role. • Just-in-time access elevation for incident response, expiring within 4 hours. • Quarterly access reviews; departures are processed within 24 hours. • Customer data access by employees is logged and reviewed monthly.
3. Network and infrastructure
• Hosted on Railway (primary) with regional segregation per the customer's chosen residency. • Private networking and VPC peering are available on Enterprise plans. • Cloudflare provides DNS, CDN, DDoS mitigation, and a managed WAF in front of the API gateway. • Production environments are isolated from staging and development at the cloud-account level.
4. Software development lifecycle
• Mandatory code review on every change; protected branches enforce status checks. • Automated dependency scanning (npm audit, Renovate) gates new vulnerabilities. • Static analysis (ESLint, TypeScript strict) and 600+ tests run on every PR. • Manual security review for changes touching authn, authz, payment, or data egress paths. • Security disclosures via security@trustekai.com — responsible-disclosure rewards available on request.
5. Monitoring and incident response
• Centralised logging with 1-year retention; high-severity events alert on-call within 5 minutes. • Incident response runbook covers detection, containment, eradication, recovery, and post-mortem. • Customers are notified of incidents affecting their data within 72 hours per our DPA. • Quarterly tabletop exercises simulate breach scenarios.
6. Penetration testing and audits
• Independent penetration test of the application and infrastructure — first engagement on our roadmap. • Continuous bug bounty — in scoping (planned for 2026 H2). • SOC 2 (Type I, then Type II) — on our compliance roadmap; not yet held. • ISO 27001 — on our compliance roadmap; not yet held. • APRA CPS 234 / 230 conformance attestation for Australian regulated entities — on our roadmap; not yet held. We are committed to obtaining each of these and will publish target audit dates as they are confirmed. Until then, no representation is made that TrustekAI holds any of the above certifications or attestations.
7. Backups and business continuity
• Database backups every 6 hours, retained for 35 days. • Backups are encrypted and stored in a separate region. • RPO ≤ 6 hours, RTO ≤ 4 hours for the API gateway and dashboard. • Disaster recovery drills run twice per year.
8. Vulnerability management
• Critical vulnerabilities (CVSS ≥ 9.0) patched within 24 hours. • High (≥ 7.0): 7 days. • Medium: 30 days. • Tracked in our internal security backlog with quarterly reporting to leadership.
9. Customer responsibilities
The shared-responsibility line: • TrustekAI secures the platform, infrastructure, and managed services. • Customers are responsible for credential hygiene, role-based access within their tenant, lawful basis for data ingested, and configuring their agents per their own risk appetite. • Customers are encouraged to enable SSO, set retention windows appropriate to their compliance scope, and review the audit log periodically.
10. Contact
Security reports, vulnerability disclosures, and questions about our security program go to security@trustekai.com. PGP key fingerprint is published at /well-known/pgp-key.asc (planned).
Questions about this document can be sent to security@trustekai.com.