Security Overview

Security at TrustWays AI is built around least privilege, defence in depth, encrypt everything, and audit everything. Every Customer's data is logically isolated; every access is logged; every change is reviewable.

• In transit: TLS 1.2+ on every network connection (HSTS-preload, modern cipher suites only).
• At rest: AES-256 encryption on RDS Postgres, S3, EBS, and ElastiCache.
• Backups: automated point-in-time recovery + cross-region snapshots, encrypted with KMS-managed keys.
• Key management: AWS KMS for master keys; secrets in AWS Secrets Manager with rotation.

Tenant isolation is enforced at two layers:

• Application: every database query is scoped by org_id through a base repository. The repository pattern makes it impossible for application code to read another tenant's data by accident.
• Database: PostgreSQL Row-Level Security policies enforce the same org_id scoping at the storage layer as a defence-in-depth control.

Cross-tenant data leaks are treated as P0 security incidents. We test for this regime in CI and in periodic security reviews.

• Role-based access control with four built-in roles: Owner, Admin, Reviewer, Member, Viewer.
• Mandatory MFA for Owner + Admin roles.
• SSO / SAML 2.0 + SCIM provisioning available for Growth + Enterprise tiers.
• Short-lived JWT access tokens (15 min) + 7-day refresh tokens in httpOnly cookies.
• TrustWays staff access to production is granted just-in-time, MFA-gated, fully audited, and time-boxed.

Every state-changing action in the platform creates an audit entry — who, what, when, before-state, after-state. The audit log is hash-chained: each entry references the SHA-256 of the previous, making silent tampering detectable. Customers can verify chain integrity on demand from the Audit page.

• Cloud: AWS (eu-central-1 primary; regional deployments for IN, US, CH, UK residency choices).
• Container orchestration: EKS, with private subnets and minimal egress.
• Secrets: AWS Secrets Manager. No secrets in repository or environment files.
• Network: separate VPCs per environment; bastion access via SSM Session Manager only (no SSH key sprawl).

• Code review required for every change.
• SAST + dependency scanning in CI (Semgrep, Dependabot).
• Type-safe stack: Pydantic v2 + TypeScript strict mode eliminates entire classes of bugs.
• Pre-commit secret-scanning to prevent accidental key commits.
• Annual penetration test (3rd-party) — report available under NDA for Enterprise customers.

We patch critical vulnerabilities in dependencies within 7 days of disclosure (24 hours for actively-exploited 0-days). We run continuous Dependabot scans and a weekly Trivy image scan. CVE backlog is reviewed every sprint.

A 24x7 on-call engineer is paged on any P0/P1 alert. Customers affected by an incident are notified within 48 hours (faster for confirmed personal-data breaches — see our DPA Clause 10). A post-mortem is published within 14 days of resolution.

• RTO target: 4 hours · RPO target: 1 hour.
• Cross-region snapshots + tested restore runbook (quarterly DR drill).
• Stateless application tier auto-scales; database multi-AZ with automated failover.

We're in active progress on SOC 2 Type II and ISO 27001 certification (target completion: Q3 2026). Until then, we provide the controls evidence we have today under NDA for Enterprise customers — and we eat our own dog food by running TrustWays AI internally against ISO 42001 + GDPR.

Found something? We want to know. Email security@trustways.ai with details. PGP key available on request. We acknowledge within 1 business day and aim to triage within 3 business days. Responsible disclosure is appreciated — we credit researchers in our security hall of fame on request.