Security at Truss

Your customers' data,
treated like
it's our own.

Truss handles the day-to-day customer information that runs your business — emails, contracts, hours, billing. We treat it the way we'd want ours treated: encrypted at every step, accessible only to you, never sold, never traded, and ready to leave with you the day you decide to leave.

Report a vulnerability security@trussapp.co
The short version

Three commitments. Not negotiable.

Most security pages bury the headline. Here's ours up front — the rest of this page just shows our work.

Your data is yours

We never sell it, and Truss never uses Customer Content to train AI. You can export everything any time. If you ever leave, we delete it on request.

Encrypted at every step

AES-256 at rest, TLS 1.3 in transit. Your data is encrypted on the way in, while it's sitting in our database, and on the way back out.

Real disclosure, fast

If something happens, you hear from a human at Truss within 24 hours — what went wrong, what we did, and what we're doing differently. No legalese, no spin.

How we secure your data

The boring parts, done well.

Security stops being interesting when it becomes habit. Here's what we do without thinking about it, because thinking about it later is too late.

Encryption everywhere

AES-256 at rest. TLS 1.3 in transit. Encrypted database backups. Encrypted log streams. Per-tenant encryption keys for sensitive customer records.

Modern infrastructure

Hosted with Railway, a US-based hosting platform, with high-availability deployment. Logical isolation per customer tenant. No shared databases, no spreadsheets-as-a-service.

Backups & recovery

Daily encrypted backups, retained for 30 days. Multi-region replication of the primary database. Restoration drills run on a regular schedule — not just when we hope they'll work.

Least-privilege access

Internal access to customer data is restricted to the small number of engineers who genuinely need it — and every access is logged. Production access requires hardware-key auth.

AI with a real sub-processor

AI features in Desk and Automation are powered by Google Gemini. Customer content is sent to Google only when an AI feature is actively used, governed by Google's enterprise Gemini API terms. Truss does not use Customer Content to train any model and does not retain prompts after the response is delivered. See our sub-processor entry.

Audit log, always on

A tamper-evident log of who did what, when, and from where — across every Truss product. Included on every plan, not gated behind an "Enterprise" upgrade.

Account security

What your team gets.

Half of "security" is making sure the right people can sign in and the wrong people can't. We give you the tools to do that without an enterprise IT department.

Two-factor auth, built in

Every user, every account, no upgrade required. Authenticator apps, hardware keys, or one-time codes. Turn it on for everyone in one click.

SSO & SCIM

SAML and OIDC single sign-on with Google, Microsoft, Okta, and Azure AD. SCIM provisioning so people get the right access automatically when they join — and lose it when they leave.

Role-based access

Owner, admin, agent, billing, viewer — sensible roles out of the box. Custom roles when you need them. Customer data only goes where the role says it can go.

Compliance & frameworks

Where we stand, honestly.

We tell you what we have, what we're working on, and what we don't claim. Then we tell you what's relevant for the kind of business you run.

SOC 2 Type II
In progress
Audit underway — report available to customers under NDA once issued.
GDPR
Aligned
DPA available. EU sub-processor list maintained. Right-to-erasure handled on request.
CCPA
Aligned
Same machinery as GDPR. We don't sell data, so most of CCPA is a non-event for us.
HIPAA
On request
BAA available for customers with regulated workflows. Ask us if you need one.
ISO 27001
2027
On the roadmap. SOC 2 first; ISO after we hit the next size threshold.
Pen testing
Annual
Third-party penetration test once a year. Summary report shared with customers under NDA.
Need a security questionnaire filled out, or a SOC 2 report under NDA? security@trussapp.co
Built by a security engineer

Security at Truss is run by someone who's done it for a living.

Ryan Sheidow, our co-founder, spent years on the security team at Apple before starting Truss. The discipline of working on consumer-scale systems — where one bug can affect a billion people — is the discipline we bring to a platform built for two-to-twenty-person teams.

When you write us
A real person reads it — usually Ryan or another senior engineer. No tickets routed to a queue, no "your case has been escalated."
If something breaks
You hear from us within 24 hours. With specifics, not legalese. Even if the incident doesn't actually affect your tenant — we'd rather tell you and have it be nothing.
Responsible disclosure

Found something? We want to know.

If you've discovered a vulnerability in any Truss product, please email us at security@trussapp.co. We treat security reports seriously and will get back to you quickly.

What we ask
  • Give us a reasonable window to fix it before publishing
  • Don't access, modify, or exfiltrate customer data
  • Don't run automated scans against production without telling us
  • Include steps to reproduce, expected vs. actual behavior, and any impact you've already established
What we promise
  • Acknowledge your report within one business day
  • Give you a real status update on what we're doing and when
  • Not take legal action against researchers who follow this policy in good faith
  • Credit you publicly (with your permission) once the issue is fixed
Email security@trussapp.co Bug bounty program is in the works — for now, every credible report gets a written thank-you and a small token of appreciation.
Common questions

What your IT person will ask.

Where is our data hosted?
With Railway, a US-based hosting platform, deployed for high availability. Customer data does not leave the United States by default. If you need EU-resident hosting, get in touch — we're rolling out regional tenants for customers who need them.
Do you have a SOC 2 report?
SOC 2 Type II is currently in audit; the report will be available to customers under NDA once issued. Until then, we're happy to walk through our controls in detail and share interim attestation letters from our auditor.
Can we sign a DPA / BAA?
Yes to both. A standard DPA is available on request and we can usually turn around redlines within a day or two. For HIPAA workloads, we offer a Business Associate Agreement — just email us.
Do you support SSO and SCIM?
Yes — SAML and OIDC single sign-on (Google, Microsoft, Okta, Azure AD) and SCIM provisioning are included on every plan. There's no "Enterprise tier" upcharge for either.
Do you sell our data? Use it to train AI?
We don't sell it, and Truss doesn't use Customer Content to train any AI model. AI features in Desk and Automation run on Google Gemini (Google is listed as a sub-processor at trussapp.co/subprocessors) — content is sent to Google only at the moment an AI feature is invoked and is governed by Google's enterprise Gemini API terms.
What happens if there's an incident?
You hear from a real person at Truss within 24 hours — what happened, what we did, who's affected, and what we're doing differently. We share specifics, not legalese. We'd rather over-notify on something small than under-notify on something big.
How long do you keep my data after I leave?
After cancellation, your data is retained for 30 days so you can export it or change your mind. On day 31 it's permanently deleted from production. Encrypted backups roll off after another 60 days. You can request earlier deletion at any time.
Where can I see your sub-processors?
Our current list of sub-processors lives at trussapp.co/subprocessors. We email customers at least 30 days before adding or changing one.
Can I get a copy of your security questionnaire?
Of course. We've pre-filled the SIG Lite, CAIQ, and a generic vendor security questionnaire so you don't have to wait. Email security@trussapp.co with the format you need.

Still have a question? Ask us.

If your team is evaluating Truss and your security review is the gating item, we'll get on a call with your IT or compliance person directly. No sales filter.

security@trussapp.co Book a security review