Security & Compliance

Your data, protected by design

We built TrustOps Autopilot with the same security standards we help you demonstrate. Enterprise-grade protection for your sensitive compliance data.

Security principles

The foundations of how we protect your data

Encryption everywhere

All data encrypted in transit (TLS 1.3) and at rest (AES-256). Your questionnaires and answers are never stored in plain text.

Role-based access control

Granular permissions with least-privilege defaults. Users only see what they need. SSO/SCIM available on Growth plans.

Comprehensive audit logs

Every action logged with timestamp, user, and details. Immutable records for compliance and incident response.

Secure infrastructure

Hosted on SOC 2 certified cloud infrastructure. Regular penetration testing and vulnerability assessments.

Data retention controls

Configure retention policies to meet your requirements. Data deletion on request with verification.

Incident response

24-hour notification commitment for security incidents. Documented response procedures and post-incident reviews.

GDPR Compliance

GDPR compliant by design

We process personal data in accordance with GDPR requirements, with appropriate technical and organizational measures in place.

  • Data Processing Agreement (DPA) available
  • EU data residency option
  • Right to deletion and portability supported
  • Privacy by design principles
  • Data minimization practices

Request our DPA

Standard contractual clauses included. Pre-signed for faster procurement.

Responsible AI

AI with guardrails

We use AI responsibly to assist with answer drafting, not to replace human judgment. Every AI-generated suggestion requires human approval.

  • No training on your data—your content stays yours
  • Citations required—AI cannot export uncited answers
  • Refusal mode—AI declines to answer without evidence
  • Human-in-the-loop—all answers require approval
  • Transparent confidence scores

No citation, no export

Our guardrails ensure AI-generated content cannot be exported without verified citations to your source documents. This prevents hallucinations from reaching your buyers.

Subprocessors

Third parties that process data on our behalf

SubprocessorPurposeLocation
Cloud Infrastructure ProviderHosting and storageUS / EU
AI Model ProviderAnswer drafting assistanceUS
Authentication ProviderUser authenticationUS
Email Service ProviderTransactional emailsUS

Full subprocessor list available in our DPA. Subscribe to updates via email.

Security documentation

Review our policies and request additional documentation

Privacy Policy

How we collect and use data

Terms of Service

Service agreement terms

Security Overview

Detailed security whitepaper

Questions about our security?

Our team is ready to discuss your security requirements.