policies on its website.
TruCentive information systems and technical infrastructure are hosted within world-class, SOC 2 accredited data centers, including those provided by Amazon Web Services
, and Microsoft Azure
. Amazon’s controls are described in this link
, and Azure’s is located here
. These data centers include monitoring 24×7, security cameras, visitor logging and restrictions, and very strict requirements for obtaining access. Typically, it is impossible for a customer of these datacenters to actually visit them.
TruCentive relies on industry partners such as Stripe for processing and storage of Payment Card Information. TruCentive does not store any customer payment card information. Any payment card information that is collected is done so using industry partner websites or controls hosted on industry partner domains. Our industry partners conform to all relevant Payment Card Industry’s Data Security Standards such as PCI DSS 3.2.
TruCentive controls access to its infrastructure in a number of different ways. Access to deployment environments is only permitted via secure mechanisms such as SSH. Our corporate password policies enforce good password hygiene with requirements for length, complexity, and uniqueness.
TruCentive’s security policies are reviewed and updated at least once per year. We require our employees to review and acknowledge the policies upon hiring, and on an annual basis. TruCentive supplies resources for job specific security and skills development. For particular job functions privacy law training is provided.
To the extent of what is permitted by law, TruCentive performs background screening at the time of hire. All employees are required to sign non-disclosure agreements, and requires all employees to acknowledge the review of its information security policies. TruCentive provides ongoing privacy and security training.
TruCentive has a cross-functional team responsible for security compliance and incident response. This team also is responsible for application and system security.
TruCentive encrypts data at rest, and in transit. Secure TLS cryptographic protocols are used for communication.
The TruCentive development team employs best practices for coding in a defensive and secure manner. The OWASP “Top Ten” is used as a starting point. Development, testing, verification, and deployment are performed in different environments, with code changes communicated, reviewed, and tracked through code repositories.
Information Security Incident Management
TruCentive’s information security policies cover initial response, investigation, customer notification, public communication, and remediation. These policies are reviewed.
No procedures or policies can guarantee absolute security, even with best efforts and perfect execution. No method of electronic storage is perfectly secure, nor is transmission of information over the internet. If we learn of a TruCentive security breach, we will notify all affected users so that they can take appropriate steps. Our breach notification procedures are consistent with our obligations under applicable country level, state and federal laws and regulations, as well as any applicable industry rules or standards. We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.
Information Security Aspects of Business Continuity Management
TruCentive’s production databases are backed up on a full and incremental basis. Backups are regularly verified.
Your Responsibilities as a TruCentive Customer
Preserving the security of your data requires that you maintain the security of your account by using sufficiently complicated passwords, storing them safely, and not sharing with anyone else. Any device or computer used by you to access the TruCentive service should be maintained to prevent infection by viruses, and kept up to date with the latest relevant security and program updates.
Logging and Monitoring
Application and infrastructure systems log and store information to a centrally managed log repository for troubleshooting, security reviews, and analysis by authorized TruCentive personnel. Logs are preserved in accordance with regulatory requirements.