1. Vanta
  2. Continuous Compliance
  3. Trustpage

Trustpage

How does Trustpage Protect Data?

  • Updated

 

Data Encrypted In-Transit

  • Trustpage uses HTTPS for all applications and SSL for all database connections to protect sensitive data transmitted to and from applications.

Data Encrypted At-Rest

  • Trustpage data is hosted at Heroku, a Salesforce Company. All data is encrypted at rest with AES-256, block-level storage encryption. Keys are managed by Amazon, and individual volume keys are stable for the lifetime of the volume.

Passwords Encrypted

  • Trustpage uses Auth0 for authentication. Auth0 only stores passwords for users that do not use SSO. Auth0 never stores passwords in cleartext—they are always hashed and salted securely using bcrypt.

Data Protection Officer

  • Trustpage has implemented a set of internal policies and procedures related to data protection that all our employees must follow. Trustpage has appointed Jay Lloyd, Head of Trust, as its Data Protection Officer (DPO). As DPO, he is accountable for enforcing these policies and ensuring that data protection issues are promptly communicated to our CEO.

Data Backup

  • Trustpage has automated data backups that run daily to protect against data loss. Critical systems have a Recovery Point Objective (RPO) of 24 hours or less.

Data Access Limitation

  • Trustpage follows the principle of least privilege when granting employees access to our systems. Access to data is limited to legitimate business needs and employees' roles. Trustpage periodically reviews employee access to ensure their access level continues to align with their role—access may be downgraded or revoked at this time. An employee's access is revoked promptly upon termination.

Secure Document Storage

  • Trustpage utilizes secure data storage for uploaded resources. Managed keys are used to encrypt and decrypt resources stored on disk. When sharing resources with a visitor for the first time, the user will be prompted to create an account with your Trust Center. The user must access the email account for whom the resource was shared. A user's access to the document can be revoked anytime through the application.

Was this article helpful?

Have more questions? Submit a request