TrustEngine Security Program

The goal of the Security & Compliance program at TrustEngine is to protect the confidentiality, integrity and availability of information to the organization, employees, customers and the affiliated information systems. Our Company’s Information Security Program was developed with guidelines from the NIST Cybersecurity Framework and ISO 27001. Our program aims to address risk, ensure a culture of security, proactively prevent security incidents, and continuously manage security threats and vulnerabilities.

While we don’t expose too much detail around our practices (as it can empower the very people we are protecting ourselves against), we have provided some general information below to give you confidence in how we secure the data entrusted to us.

Culture of Security

All the Company employees are responsible for safeguarding company assets, security and privacy is a shared employee responsibility. All our employees are screened for expertise, experience and integrity. Criminal background checks are required upon hire and are verified iteratively throughout employment. All employees are required to adhere to and acknowledge the information security policies and standards.

The security education training and awareness program is seen as a foundational component to our security program. Initial training is carried out for employees at the time of onboarding. Additionally, there are ongoing quarterly security, privacy and phishing awareness training that occur to maintain competency across our distributed workforce.

The Leadership team of the Company is accountable for and formally approves decisions regarding the Information Security Program.

Attestations

TrustEngine has completed the American Institute of CPAs (AICPA) SOC2 Type 2 attestation, which means the design and operating effectiveness of our controls meet rigorous standards. We can provide our SOC2 report upon request.

In an effort to constantly improve our security posture, we have shifted focus into preparing for the ISO 27001 Certification in 2024.

Platform Security

We develop and deploy solutions that balance thoughtful security controls and usability. TrustEngine provides you with the tools and support you need to ensure that all of your users engage in appropriate and compliant use of our platform. We maintain the platform security as part of our shared security model so that you can focus on your customers.

Regulatory Compliance

While we are not bound to the same regulatory controls required by lenders, we do take extra steps to ensure that we are compliant where appropriate and educate all staff with the relevant regulatory requirements for the benefit of our customers. Common regulatory policies that we review for applicability include: CFPB (Consumer Financial Protection Bureau), CCPA (California Consumer Privacy Act), GLBA (Gramm-Leach-Bliley Act), ADA (content accessibility), WCAG (Web Content Accessibility Guidelines). Our Security & Compliance team in conjunction with our Legal team ensure that applicable regulations and standards are factored into our program.

Physical & Logical Access Control

We are partnered with AWS for production data centers used to store and process data, these data centers meet or exceed industry standards. By leveraging AWS we are able to leverage their security infrastructure, logging, identity and intrusion protection systems and focus on delivering a scalable and secure product.

Our Company has designed internal data access processes and policies to prevent unauthorized persons and/or systems from gaining access to systems. The Company has designed its environment to restrict access and ensure access is relevant, timely and aligns with the individual’s job responsibilities. Our U.S.-based data centers feature 24 x 7 physical security.

Availability

Production data centers are designed to be fully redundant and maintained without impact to operations, 24 hours a day, and seven days a week. The Company has disaster recovery plans in place and performs testing each year to validate effectiveness.

Application Security

Software developed follows a Secure Software Development Life Cycle defined in our internal policy and procedure documents.

All data is encrypted during transmission using up-to-date versions of TLS or other security protocols using current and industry-standard encryption algorithms and keys. Data at rest and offline backups are encrypted to ensure adequate protection of customer data.

The Company conducts regular periodic scans of its applications, networks, and infrastructure to detect vulnerabilities using commercially available, regularly updated scanning software.

Additionally, we leverage external consultants to perform security assessments and validate our defensive posture.

Audit Requests

The Company, in its role as a data processor, will take commercially reasonable measures to assist Clients with audits to verify compliance with the controls.

Vulnerability Disclosure

While TrustEngine appreciates external security researchers reaching out and disclosing vulnerabilities or misconfigurations within our company’s infrastructure or services. We do not directly engage with individuals and we offer no reward or compensation for submitting potential issues.

If you have a question or would like to report something to our Security & Compliance team please contact us at security@trustengine.com