Skip to content
TrustLayer
Concierge

Security & operations

Security overview

Calm, factual summary for procurement and IT reviewers. Replace placeholders with your production controls, subprocessors, certifications roadmap, and incident response commitments after internal review.

Draft page: expand with SOC 2 status, pen-test cadence, data residency, and support SLAs as they exist—never imply controls you have not implemented.

Encryption in transit

Use HTTPS for the marketing site and TLS for service-to-service calls in production. Terminate TLS at your edge or load balancer following your infrastructure standards.

Tenant isolation

The product is designed around workspace tenancy so customer data stays partitioned. Document your production isolation model (database scoping, authZ, audit logs) for customer security reviews.

Hosted billing (Stripe)

Subscriptions and payment methods are handled by Stripe Checkout and the Customer Portal. TrustLayer does not store raw card numbers; webhook endpoints verify Stripe signatures before acting.

Document ownership & retention

Customers retain ownership of materials they upload and produce. Retention, export, and deletion policies should be spelled out in your enterprise DPA—this page is a high-level overview only.

Human-reviewed AI workflow

AI outputs are drafts until your team reviews and approves them. TrustLayer is a workflow tool—not automated compliance, legal advice, or certification.

No automatic compliance guarantees

No configuration of TrustLayer replaces your policies, contracts, or regulatory obligations. Security posture and compliance outcomes remain your responsibility.

Operational expectations

  • Webhook endpoints reject unsigned or replayed events in production configurations.
  • Secrets (Stripe keys, provision tokens) stay server-side—never exposed to the browser bundle.
  • Audit trails for approvals and exports should be described in product documentation for enterprise buyers.
  • Access reviews, change management, and vendor due diligence remain your internal processes—we support the workflow layer.

Review packaging

For RFPs, attach your architecture summary, DPA draft, and subprocessors list alongside this page. Buyers equate thorough documentation with operational seriousness—keep claims aligned with what you actually run.

Questions for security or procurement? Contact sales.