Trulioo is committed to data security, risk management and technical support. The Trulioo Information Security and Technical Compliance team delivers layers of preventive measures, including awareness training, to protect Trulioo technology and the data that fuels a global platform of verification services. The team establishes and validates controls and procedures to manage risk while providing the infrastructure to ensure the organization’s continued operations.
Top-Level Credentials Ensure Data Security and Privacy
ISO 27001 Certification
The security framework, created by the International Organization for Standardization (ISO), assesses a company’s ability to keep its data safe through policies, procedures, training, monitoring, auditing, incident response and communications. Trulioo has been ISO 27001-certified since 2015.
SOC 2 Type 2 Qualification
The Service Organization Control (SOC) Type 2, created by the American Institute of Certified Public Accountants, is a cybersecurity framework that establishes standards for how third-party service providers should securely store and process customer data. Truilioo obtained SOC 2 Type 2 in February 2024.
Key Components of the Trulioo Information Security Program
Trulioo policies and procedures define responsibilities and establish best business practices to ensure the confidentiality, integrity and availability of information and technology resources.
All users of Trulioo information and technology resources must complete annual information security and privacy training. Employees also regularly undergo phishing awareness training.
Trulioo applies multiple layers of controls to manage access to information systems. Those include multifactor authentication, single sign-on and password management tools that prevent unauthorized access. When working remotely, employees access Trulioo systems through a virtual private network. Trulioo grants access to its systems based on the principle of least privilege and regularly conducts user access reviews.
Trulioo operates in a hosted environment and has designed its infrastructure for redundancy and automatic failover across multiple regions to ensure uptime. Network segmentation, logging and monitoring, web-application firewalls, and load balancing provide security and availability management. A third party annually conducts penetration tests of Trulioo networks and applications.
Trulioo aligns with the EU’s General Data Protection Regulation for data classification, labeling, handling and security. Trulioo encrypts all data at rest and in transit based on industry standards. Employee training also strengthens protections for Trulioo data and the information provided by customers and partners.
Trulioo has a comprehensive program to manage the risk associated with third-party relationships. The program includes due diligence at onboarding, risk management, incident outreach and awareness, annual supplier and partner reassessments, and ongoing reporting and management oversight. Trulioo and third parties agree to contractual obligations for information security.
Trulioo undergoes frequent audits. That includes an annual internal audit covering ISO 27001 requirements by an independent third party, an assessment of ISO 27001 ISMS by a qualified registrar and a SOC 2 Type 2 audit by an accredited external firm.
Trulioo leadership has established roles and responsibilities for managing and securing data and technology resources. The executive management and senior leadership teams participate in quarterly Security Committee meetings to ensure awareness, provide feedback and guidance, and maintain ongoing information security management and oversight.
Frequently Asked Questions
Learn more about Trulioo data security and privacy.
Staff members learn the security policy at onboarding, during annual training and in monthly phishing awareness exercises.
Trulioo monitoring tools provide alerts for anomalous access and failed access attempts, which are then manually reviewed as required.
Trulioo has a suite of policies governing information security as required by ISO 27001 and supplemented by business operations. Executive leadership signs off on all policy updates and communicates that to all staff members.
Trulioo requires complex passwords that include at least one special character, one numeral and one upper-case letter. Passwords must be changed at regular intervals.
Service Organization Control Type 2, created by the American Institute of Certified Public Accountants, is a cybersecurity framework that establishes standards for how third-party service providers should securely store and process customer data.
The security framework, created by the International Organization for Standardization, assesses a company’s ability to keep its data safe through policies, procedures, training, monitoring, auditing, incident response and communications.
Trulioo manages access based on the principle of least privilege and on a need-to-know basis.
Trulioo Information Security and Compliance Document Request
If you’re interested in receiving information security documentation, please submit a request using this form.