Trust Center

Security at Trustpage

Security, privacy, and reliability are at the core of our DNA. We’re leading the way in creating a new era of trust in software.

  • Compliance Standards

    Last updated Fri, Apr 22, 2022
    • CCPA

      Trustpage is fully committed to the California Consumer Privacy Act (CCPA). The CCPA is a law that allows any California consumer to request all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. If you wish to request your information that Trustpage has collected from you, please submit your request to support@trustpage.com.

    • GDPR

      Trustpage is in full support of the General Data Protection Regulation (GDPR). GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The regulation allows EU citizens to request all the information a company has saved on them, in addition to requesting that all personal information is removed from a company's systems and any subprocessors who have handled their data. If you wish to request your information that Trustpage, and its subprocessors, have collected from you, please submit your request to support@trustpage.com.

    • SOC 2 Type I

      Trustpage is being examined to attest that its system and the suitability of the design of controls meets the AICPA's SOC 2 Type I requirements.

  • Product Security

    Last updated Tue, May 17, 2022

    We’re committed to building a product with a robust set of security features to keep you and your customers safe.

    • Audit Logs

      Trustpage audit logs capture all changes made to trust center content including topics, roadmap items, FAQs, and resources. The log tracks the type of change, the time it happened, the member who made the change, and when applicable, the version history of the change. This includes all comments and member activity such as invitations and joins.

    • Role-Based Access Control (RBAC)

      Trustpage allows you to manage your team by adding or removing those within your company whom you wish to grant access to manage your Trust Center. Members invited to the Trust Center can have Administrator or Collaborator access. Administrators have full access, while Collaborators have limited access to Trust Center.

    • Google SSO

      Google SSO enables Gmail and G Suite users to sign in to other applications such as Trustpage using their Google account. SSO simplifies the management of passwords and identity, helping improve security by reducing the potential for stolen passwords among other attacks.

    • SAML SSO

      Trustpage supports SAML SSO to allow Trust Center administrators and collaborators to authenticate using their organization's Identity Provider to simplify the management of passwords and identity. Please contact support to receive assistance with configuration.

    • SCIM User Management

      Trustpage has implemented SCIM, or System for Cross-domain Identity Management, in its product to allow customers to use their Identity Provider to easily provision and de-provision user accounts for their employees. Please contact support for setup instructions.

  • Data Security

    Last updated Tue, Nov 9, 2021
    • Data Encrypted At-Rest

      Trustpage data is hosted at Heroku, a Salesforce Company. All data is encrypted at rest with AES-256, block-level storage encryption. Keys are managed by Amazon, and individual volume keys are stable for the lifetime of the volume. You can find more detail about EBS encryption here.

    • Data Encrypted In-Transit

      Trustpage uses HTTPS for all applications and SSL for all database connections to protect sensitive data transmitted to and from applications.

    • Passwords Encrypted

      Trustpage uses Auth0 for authentication. Auth0 only stores passwords for users that do not use SSO. Auth0 never stores passwords in cleartext—they are always hashed and salted securely using bcrypt.

  • Privacy

    Last updated Fri, Apr 8, 2022
    • Privacy Policy

      Your privacy is important to us. It is Trustpage's policy to respect your privacy regarding any information we may collect from you across our website. Trustpage only collects data that we need and only retains it for as long as necessary.

      Trustpage does not share any personally identifying information publicly or with third-parties, except when required to by law.

    • Third-Party Cookie Commitment

      Trustpage has made a commitment from day one to not use third-party cookies to protect the privacy rights of our users. If you want to support our campaign against third-party cookies, please read How to make sure you are not allowing third-party cookies.

    • Data Retention Policy

      Trustpage retains data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data. Detailed information about retention periods are documented in Trustpage's Data Management Policy.

    • Data Processing Addendum

      Trustpage has a data processing addendum outlining its terms for the processing of personal data. Our data processing addendum can be requested on our Trust Center's Resources page.

    • Data Protection Officer (DPO)

      Trustpage has appointed Jay Lloyd, Head of Trust, as its Data Protection Officer (DPO).

  • Incident Management & Response

    Last updated Fri, Apr 8, 2022
    • Data Breach Notification

      In the event of unauthorized access to data, Trustpage will notify its customers and other affected parties about the breach within 24 hours, or as required by law, as well as take specific steps to remedy the situation to prevent future incidents.

    • Incident Response Plan (IRP)

      Trustpage has an Incident Response Policy that outlines its Security Incident management process. The policy describes escalation procedures and communication plans in case of an incident. It ensures incidents are remediated as quickly as possible and keeps affected customers informed. If you would like to learn more, please request a copy of Trustpage's Incident Response Plan.

  • Availability & Reliability

    Last updated Fri, Apr 8, 2022
    • Denial of Service (DoS) Protection
      Trust Centers

      Trustpage uses Fastly's DDoS Protection and Mitigation Service to protect customers' Trust Centers. Fastly's edge-based filtering technology automatically blocks disruptive attacks at the network and transport layers to protect our applications.

      Directory

      Trustpage uses Cloudflare DDoS protection to protect its' Directory Service. Cloudflare's protection works in tandem with its cloud web application firewall (WAF), Bot Management, and other L3/4 security services to protect assets from cyber threats of all kinds.

    • Quality Assurance Testing

      Trustpage follows a Change Management process for changes to production software. All code changes must undergo a peer code review and include automated unit, functional, and security testing. Testing is performed after deployments to validate application functionality. If validation fails, the application is rolled back to its previous version.

    • Service Monitoring

      Trustpage uses Datadog to monitor its systems to detect service-related issues. The Trustpage team is alerted 24x7 when the threshold criteria is exceeded.

    • Status Page

      Trustpage's system availability can be viewed in real-time.

  • Organizational Security

    Last updated Fri, Apr 8, 2022
    • Confidentiality Agreements

      Trustpage will provide documents upon request. Please submit your request to support@trustpage.com.

    • Employee Security Training

      Trustpage employees undergo monthly Security Awareness training provided by Curricula.

    • Employee Workstations Automatically Locked

      Trustpage uses Rippling for device management. Employee devices automatically lock after a period of inactivity and immediately requires a password to unlock.

    • Employee Workstations Encrypted

      Trustpage uses Rippling for device management to enforce disk encryption using FileVault on employee laptops.

    • Limited Employee Access (Principle of Least Privilege)

      Trustpage follows the principle of least privilege when granting employees access to our systems. Access to data is limited to legitimate business needs and employees' roles. Trustpage periodically reviews employee access to ensure their access level continues to be in alignment with their role--access may be downgraded or revoked at this time. An employee's access is revoked promptly upon termination.

    • Physical Access Control

      Trustpage is a remote-first company and all employees work remotely. Trustpage has a Physical Access Control Policy applies to Trustpage’s suppliers, vendors and third-parties that handles Trustpage data. If you would like to learn more, please request a copy of Trustpage's Physical Security Policy.

    • Secure Remote Network Access

      Trustpage's employee workstations use NordLayer's VPN to provide end-to-end encryption to provide a private, secure connection to the internet. VPN connections are monitored regularly and employees are alerted if they are disconnected from the network.

  • Business Continuity

    Last updated Fri, Apr 8, 2022
    • Business Continuity Plan

      Trustpage has implemented Business Continuity as part of an integrated Business Continuity and Disaster Recovery Plan. This plan prepares Trustpage in the event of extended service outages caused by factors beyond our control (e.g., natural disasters, man-made events), and to restore services to the widest extent possible in a minimum time frame. If you would like to learn more, please request a copy of Trustpage's Business Continuity and Disaster Recovery Plan.

    • Disaster Recovery Plan

      Trustpage has implemented Disaster Recovery as part of an integrated Business Continuity and Disaster Recovery Plan. This plan prepares Trustpage in the event of extended service outages caused by factors beyond our control (e.g., natural disasters, man-made events), and to restore services to the widest extent possible in a minimum time frame. If you would like to learn more, please request a copy of Trustpage's Business Continuity and Disaster Recovery Plan.

    • Data Backups

      Trustpage has automated data backups that run daily to protect against data loss.

  • Infrastructure

    Last updated Tue, Nov 9, 2021

    Trustpage hosts its application at Heroku, a Salesforce company. Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. For additional information visit the AWS Security page.

    • FISMA - Moderate - Data Center
    • ISO 27001 - Data Center
    • PCI-DSS - Level 1 - Data Center
    • SOC 2 Type II - Data Center
    • Sarbanes-Oxley (SOX) - Data Center
    • Physical Access Control - Data Center

      Trustpage host its applications at Heroku, a Salesforce company. Heroku utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

      Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.

      For additional information see: https://aws.amazon.com/security

    • Environmental Safeguards - Data Center

      Trustpage hosts its data and application at Heroku, a Salesforce company. Heroku utilizes the following safeguards:

      Fire Detection and Suppression

      Automatic fire detection and suppression equipment have been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms, and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.

      Power

      The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide backup power for the entire facility.

      Climate and Temperature Control

      Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Monitoring systems and data center personnel ensure temperature and humidity are at the appropriate levels.

      Management

      Data center staff monitor electrical, mechanical, and life support systems and equipment so issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.

      For additional information see: https://aws.amazon.com/security

  • Threat Management

    Last updated Tue, May 17, 2022
    • Bug Bounty

      Trustpage takes the security of our systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

      We require that all researchers:

      • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
      • Perform research only within the scope set out below
      • Use the identified communication channels to report vulnerability information to us
      • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Trustpage until we’ve had 90 days to resolve the issue.

      If you follow these guidelines when reporting an issue to us, we commit to:

      • Not pursue or support any legal action related to your research
      • Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission)
      • Recognize your contribution in our Security Researcher Hall of Fame below, if you are the first to report the issue and we make a code or configuration change based on the issue
      • Consider paying a cash reward if the vulnerability is determined to be of high impact and probability

      The impact assessment is based on the attack’s potential for causing privacy violations, financial loss, and other user harm, as well as the user-base reached.

      The probability assessment takes into account the technical skill set needed to conduct the attack, the potential motivators of such an attack, and the likelihood of the vulnerability being discovered by an attacker.

      If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@trustpage.com. Please include the following details with your report:

      • Description of the location and potential impact of the vulnerability;
      • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
      • Your name/handle and a link for recognition in our Hall of Fame.

      To learn more about the qualifying vulnerabilities that apply to our program, please read our full Vulnerability Disclosure Policy.

      Security Researcher Hall of Fame

      Name Profile Disclosure Date
      Yeshwanth B linkedin.com Reverse tabnabbing July 1, 2021
      Gaurav Popalghat twitter.com July 10, 2021
      Gaurang Maheta linkedin.com Unauthenticated cache purge request September 10, 2021
    • Dynamic Application Security Testing (DAST)

      Trustpage uses ZAP to scan its web applications. ZAP crawls our applications and examines the responses from the application to identify security vulnerabilities. Vulnerability reports are reviewed for risk assessment and prioritized for remediation.

    • Static Application Security Testing (SAST)

      Trustpage uses Snyk to scan its source code. Snyk detects security vulnerabilities in our application code and open source packages. Vulnerability reports are reviewed for risk assessment and prioritized for remediation.

  • Subprocessors

    Last updated Mon, Nov 29, 2021
    • Name
      Purpose
      Location
      Auth0
      Authentication and authorization
      USA
      Datadog
      Logging and monitoring
      USA
      Fastly
      DNS and Hosting provider
      USA
      Hasura
      Data service provider
      USA
      Heroku
      Hosting service provider
      USA
      HubSpot
      CRM integration (optional)
      USA
      Paragon
      Integration services
      USA
      Salesforce
      CRM integration (optional)
      USA
      SendGrid
      Email service provider
      USA
      Slack
      Notification services (optional)
      USA
  • Report an Issue

    If you believe you've discovered a security-related issue, please contact us at security@trustpage.com.