How TruSecure protects your data.
Last updated: 17 July 2026 · Version 2.0
1. Scope
This Security Statement describes the administrative, technical and organisational measures TruSecure operates to protect personal data and Customer Content within Resilience Fabric and on related corporate infrastructure. It is published in fulfilment of GDPR Art. 32 and the equivalent duty under UK GDPR Art. 32, and is incorporated by reference into the Data Processing Addendum.
2. Governance
- An information-security policy is reviewed at least every 6 months, or sooner if a material change occurs.
- Roles and responsibilities are aligned to the ISO/IEC 27001:2022 control set.
- A named function has operational accountability for security. The function-holder sits at senior management level and reports to the Managing Director of TRUSECURE S.R.L. The function-holder's name is recorded in the controllers' internal register of processing activities under Art. 30 GDPR and is available on request under NDA.
3. Personnel security
- Background screening is performed proportional to role sensitivity for personnel with access to production data.
- Confidentiality undertakings bind all staff and contractors.
- Security awareness training is delivered at induction and at least every 6 months thereafter.
4. Access control
- Least-privilege access based on documented roles.
- Multi-factor authentication is required for all access to production systems, administrative consoles and the private inference infrastructure.
- Access reviews are performed at least quarterly and recorded.
5. Cryptography and key management
- TLS 1.3 enforced on every external endpoint (TLS 1.2 permitted where a client does not negotiate 1.3).
- At-rest encryption uses AES-256 with keys held in an external key-management service; rotation follows the documented schedule.
- Customer Content is logically segregated by tenant identifier at the persistence layer.
6. Network security
- Production networks are segmented from corporate networks.
- Egress filtering, default-deny rules and a managed Web Application Firewall in front of public endpoints.
- Intrusion detection on production traffic with security-team triage.
7. Service continuity — important distinction
TruSecure distinguishes a commercial availability commitment from a personal-data availability commitment.
- Commercial availability: TruSecure does not commit to a service-level agreement for Customer Content availability in a disaster scenario. The Resilience Subscription Agreement contains the binding commercial availability terms where applicable.
- Personal-data availability (binding regardless of any commercial SLA): TruSecure maintains backups of Customer Content sufficient to restore availability and access to personal data in a timely manner following a physical or technical incident, in accordance with GDPR Art. 32(1)(b)(ii). Backups are stored in the EEA region described in the SaaS Data Handling page.
8. Logging, monitoring and incident response
- Centralised logging covers authentication, administrative and data-access events with tamper-evident retention.
- A 24/7 incident response process operates with named on-call coverage.
- Security incidents involving personal data are triaged against the breach-notification duties in GDPR Art. 33 and 34, and the NIS2 incident-reporting duties in Directive (EU) 2022/2555 Art. 23, where applicable.
- Customers are notified of a confirmed personal data breach without undue delay and in any event within the timescales in the DPA.
Two retention classes apply:
- Service-event logs: retention period is configurable by the customer in the tenant settings.
- TruSecure-personnel access logs to Customer Content: retention is fixed at minimum 12 months and cannot be reduced by the customer. This is necessary for GDPR Art. 32 and incident-response obligations.
9. Vendor management
- A due-diligence process for sub-processors is documented; see the Sub-processor List.
- Each sub-processor is bound by data-processing terms consistent with GDPR Art. 28.
10. AI-specific security
- A human approval boundary on every decision that creates a legal or significant effect (see the AI Transparency Statement).
- All inferences inside Resilience Fabric are executed on private inference infrastructure operated in the EEA.
- Prompt-injection and indirect-prompt-injection mitigations are applied to every flow that consumes external content.
11. Customer controls
Customers may, in writing, request a copy of the current security-questionnaire responses at security@trusecure.co. Penetration-test summaries may be made available under NDA.
12. Certifications
TruSecure is currently pursuing third-party certifications. Status: pending. Independent certifications will be added to this Section when issued.
