Our StoryBlogPodcastAdoption Report
Documentation
Activate Account

Security

Trinsic

SOC2

Trinsic is SOC2 Type II certified, our yearly period starts on January 1st and ends on December 31st each year.

Secure Software Development Life Cycle (SSDLC)

We follow best practices in security engineering to ensure the sensitive data we process is treated with the utmost care.

  1. During planning and design, the team uses a threat classification model (STRIDE) analyzing the potential impact of the feature, and chooses the most privacy and threat minimized approaches.
  2. During development, all code is peer reviewed by at least 1 other senior engineer. Before code can be merged in, we run Static Application Security Testing (SAST). All code is built and tested before code can be merged in.
  3. After merging, each code change runs through an extensive test of full-platform UI and API tests. A Dynamic Application Security Testing tool, including authenticated testing, also runs against all endpoints at least daily.
  4. Our deployment environment is secured behind a Web Application Firewall (WAF), Distributed Denial Of Service (DDOS) protection and Bot Prevention proxies. All our endpoints use the most restrictive Content Security Policy (CSP) applicable and prohibit Cross-Origin Resource Sharing (CORS). Our platform runs behind TLS, at least version 1.2. All our sensitive keys are managed in a secure key store with auditing enabled.
  5. We monitor our platform and infrastructure using a Security Info and Event Management tool (SIEM), have an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) in place and have continuous Cloud Security Posture Management (CSPM) monitoring running.
  6. We run extensive yearly penetration tests against our whole platform and infrastructure.
  7. Our dependencies are updated weekly to ensure we're on the latest vulnerability fixes, including base container images that run our infrastructure.

Access control and least privilege

All access to backend infrastructure is gated behind the principle of least privilege, with only senior engineering leadership having access to production infrastructure. We require strong MFA on all accounts for all services we use internally.

Infrastructure

Backup and disaster recovery

Trinsic's data infrastructure on Microsoft Azure is backed up continuously, allowing detailed recovery timelines in case of outages.

We regularly test this database recovery to ensure functionality.

Logging, Monitoring and Security

Application-level and infrastructure security logs are stored for 30 days.

We employ continuous monitoring of our infrastructure and code repositories.

Updated 13 days ago