Security built for the people who answer security questionnaires.
You're uploading your most sensitive documents — security policies, SOC 2 reports, AI risk registers. We hold ourselves to the same standards we're helping you prove. That means we've filled out our own CAIQ, written our own policies, and we'll tell you honestly what we have and don't have.
Four things we don't cut corners on.
Encrypted at rest and in transit
AES-256 at rest for all Customer Content and credentials. TLS 1.2+ enforced on every connection, with HSTS across our domains. Database backups are encrypted with separate keys stored in a different region.
- AES-256-GCM at the storage layer
- TLS 1.2+ with modern ciphers only
- Secrets managed in a hardened vault — never in source control
Tenant isolation by default
Your knowledge base, drafts, and questionnaires are scoped to your account at the database row level using Postgres Row-Level Security. No shared tables, no cross-tenant queries — and no workaround that could accidentally expose them.
- Postgres RLS enforced on every table
- Per-tenant data scoping in every query
- Production access is least-privilege and audit-logged
No training on your data. Ever.
We call the Claude API in stateless mode under a zero-data-retention agreement with Anthropic. Your policies are not used to train any model — not ours, not Anthropic's, not anyone's. This is contractually enforced, not a setting we can accidentally toggle off.
- Stateless LLM API calls — no session memory
- Zero-data-retention agreement with Anthropic
- No Customer Content in evals, fine-tuning, or telemetry
Hardened by default, observable always
Dependency scanning on every commit, peer code review before any deploy, structured logs retained 90 days for forensics. We operate as if we're already in an audit window — because eventually we will be.
- Automated dependency vulnerability scanning (Dependabot)
- CI checks and code review gate every production deploy
- Application and access logs retained 90 days
Five steps. No black boxes.
Every data movement is explainable in plain English. If we can't explain it, we don't ship it.
Ingest
You upload PDFs, DOCX, Markdown, or URLs. Files are parsed and chunked in memory — never written to a temporary disk in plaintext. Encrypted at rest the moment they hit storage.
Index
Chunks are embedded and stored in Postgres with RLS scoping every row to your tenant. The schema makes cross-tenant access structurally impossible, not just policy-prohibited.
Retrieve
When a question is asked, we retrieve only the chunks that belong to your tenant, ranked by relevance. The retrieval layer cannot return another customer's data — there's no code path that would allow it.
Draft
Retrieved chunks plus the question are sent to the Claude API in stateless mode under our zero-retention agreement. The model returns a draft with citations back to your source documents.
Review
You review every draft before anything goes anywhere. Nothing auto-submits. Edits update your KB. Drafts and audit trail are retained until you delete them — and deletion is real deletion.
CSA CAIQ v4.1 — all 283 questions.
TrustReply exists to help security teams answer security questionnaires. The minimum we owe you is having answered one ourselves. We completed the full Cloud Security Alliance Consensus Assessments Initiative Questionnaire v4.1 — 283 questions across 17 control domains — and it's available on request as part of our security packet.
We answered honestly. That means some controls are “Yes (Partial)” — things we do but haven't formally documented yet. We track those gaps in an open action plan, and we'll share it if you ask.
Where we are, honestly.
We're an early-stage, bootstrapped company. A wall of certification logos would be misleading. This table is accurate as of today.
| Framework | Status | Notes |
|---|---|---|
| GDPR | Compliant | DPA available. SCCs incorporated for cross-border transfers. EU data subject rights (access, erasure, portability) honored within statutory timelines. |
| CCPA / CPRA | Compliant | Service Provider terms included in DPA. We do not sell or share personal information for cross-context behavioral advertising. |
| CSA CCM v4.1 | Self-assessed | Full CAIQ v4.1 completed across all 17 control domains (283 questions). Available on request under NDA. |
| SOC 2 Type II | Planned | Not yet audited. We operate today as if we're already in the audit window — controls, logging, and policies are in place. Audit will be commissioned when our first enterprise deal funds it. |
| ISO 27001 | Planned | Targeted after SOC 2. Our control framework maps to ISO 27001 Annex A today. |
| HIPAA | Not supported | We do not sign BAAs. Do not upload PHI to TrustReply. |
| PCI DSS | Not applicable | Card numbers are handled exclusively by Stripe and never touch TrustReply servers. |
Five companies that touch your data.
Anthropic (LLM API, zero-retention), Supabase (database, auth, storage), Vercel (hosting), Resend (transactional email), and Stripe (payments, when enabled). That's the full list. Each is contracted to the same data-protection standards we hold ourselves to under our DPA.
Five steps. 72-hour notification.
The playbook is written, not improvised. If something goes wrong, here's exactly what happens.
Detect
Application logs, dependency scanning, and alerting surface anomalies. On-call is notified immediately.
Triage
Severity and blast radius are assessed. We determine whether Customer Content is implicated and escalate accordingly.
Contain
Affected credentials are rotated, sessions revoked, systems isolated. We stop the bleeding before we explain it.
Notify
Affected customers notified within 72 hours of breach confirmation with the details required by GDPR Article 33.
Remediate
Root-cause analysis, fix deployed, written post-mortem shared with affected customers. No vague 'we take security seriously' emails.
The questions procurement actually asks.
Answered plainly. No legal boilerplate.
Have you answered a security questionnaire yourselves?
Yes — we completed the full CSA CAIQ v4.1, all 283 questions across 17 control domains. 67% are full Yes, 22% are Yes (Partial) where we do the thing but haven't fully formalized it, and 2% are No with honest explanations. We track the gaps openly. The completed CAIQ is available on request as part of our security packet.
Where does my data live?
Customer Content is stored in Supabase (PostgreSQL + object storage). Application servers run on Vercel. Primary regions are US-East and EU-West. If regional data residency is a hard requirement for your deal, email us — we'll tell you honestly what we can and can't do.
How is my data encrypted?
AES-256-GCM at rest. TLS 1.2+ in transit with modern ciphers only. Database backups are encrypted with separate keys and stored in a different region from the primary database. Secrets are stored in a hardened vault — never in source code or environment files checked into version control.
Can TrustReply staff read my documents?
Production database access is least-privilege, requires justification, and is audit-logged. We do not browse Customer Content for product reasons. As an early-stage company, the founder is currently the only person with access — and that access is logged.
Do you use my data to train AI models?
No. Never. We call the Claude API in stateless mode under a zero-data-retention agreement with Anthropic. Your content is not used to train any model — ours or Anthropic's. This is contractually enforced, not a dashboard setting.
Are you SOC 2 certified?
Not yet. We're an early-stage bootstrapped company and we'd rather tell you that honestly than invent a timeline. We operate today as if we're already in the audit window — controls, logging, access reviews, and policies are all in place. The audit will be commissioned when our first enterprise deal funds it. Ask us for our completed CAIQ in the meantime — it covers the same ground.
How quickly do you notify on a breach?
Within 72 hours of confirmed breach affecting Customer Content, in line with GDPR Article 33. The notification includes the nature of the breach, data categories affected, approximate number of records, and our remediation steps. We don't send vague 'we take security seriously' emails.
Can I delete my data?
Yes. You can delete documents, questionnaires, and your full account from within the product. On account closure, Customer Content is deleted within 30 days. Encrypted backups purge on a rolling 30-day schedule. We don't hold data hostage.
Do you do penetration testing?
We run automated dependency scanning and static analysis on every commit. We haven't yet engaged an external pen-testing firm — that's one of the honest 'No' answers in our CAIQ. We plan to once the SOC 2 audit is commissioned. Results will be shared under NDA on request.
What's your patch management SLA?
Critical vulnerabilities (CVSS 9+) are patched within 72 hours. High (CVSS 7–8.9) within 7 days. Dependency updates are automated via Dependabot and reviewed weekly. We track open findings in an internal audit tracker.
Request our security packet.
Everything your vendor security review needs, sent under NDA. We'll set up the NDA in the same email thread — no separate back-and-forth.
- Completed CSA CAIQ v4.1 (all 283 questions)
- Data Processing Agreement (DPA)
- Sub-processor list with data categories
- Architecture overview and data flow diagram
- Incident response runbook
- Privacy Policy and Acceptable Use Policy