Security and Compliance Rest Assured With Top-Tier Data Security Trulioo is dedicated to ensuring the highest level of privacy and data security, and it has the credentials to prove it. Trulioo is committed to data security, risk management and technical support. The Trulioo Information Security and Technical Compliance team delivers layers of preventive measures, including awareness training, to protect Trulioo technology and the data that fuels a global platform of verification services. The team establishes and validates controls and procedures to manage risk while providing the infrastructure to ensure the organization’s continued operations. Top-Level Credentials Ensure Data Security and Privacy ISO 27001 Certification The security framework, created by the International Organization for Standardization (ISO), assesses a company’s ability to keep its data safe through policies, procedures, training, monitoring, auditing, incident response and communications. Trulioo has been ISO 27001-certified since 2015. SOC 2 Type 2 Qualification The Service Organization Control (SOC) Type 2, created by the American Institute of Certified Public Accountants, is a cybersecurity framework that establishes standards for how third-party service providers should securely store and process customer data. Truilioo obtained SOC 2 Type 2 in February 2024. Key Components of the Trulioo Information Security Program Policies and Procedures Trulioo policies and procedures define responsibilities and establish best business practices to ensure the confidentiality, integrity and availability of information and technology resources. Information Security and Privacy Training All users of Trulioo information and technology resources must complete annual information security and privacy training. Employees also regularly undergo phishing awareness training. Identity and Access Management Trulioo applies multiple layers of controls to manage access to information systems. Those include multifactor authentication, single sign-on and password management tools that prevent unauthorized access. When working remotely, employees access Trulioo systems through a virtual private network. Trulioo grants access to its systems based on the principle of least privilege and regularly conducts user access reviews. Network Security and Availability Trulioo operates in a hosted environment and has designed its infrastructure for redundancy and automatic failover across multiple regions to ensure uptime. Network segmentation, logging and monitoring, web-application firewalls, and load balancing provide security and availability management. A third party annually conducts penetration tests of Trulioo networks and applications. Data Protection Trulioo aligns with the EU’s General Data Protection Regulation for data classification, labeling, handling and security. Trulioo encrypts all data at rest and in transit based on industry standards. The AWS Key Management System manages Trulioo keys. Employee training also strengthens protections for Trulioo data and the information provided by customers and partners. Third Party Management Trulioo has a comprehensive program to manage the risk associated with third-party relationships. The program includes due diligence at onboarding, risk management, incident outreach and awareness, annual supplier and partner reassessments, and ongoing reporting and management oversight. Trulioo and third parties agree to contractual obligations for information security. Internal and External Audits Trulioo undergoes frequent audits. That includes an annual internal audit covering ISO 27001 requirements by an independent third party, an assessment of ISO 27001 ISMS by a qualified registrar and a SOC 2 Type 2 audit by an accredited external firm. Executive Management Oversight Trulioo leadership has established roles and responsibilities for managing and securing data and technology resources. The executive management and senior leadership teams participate in quarterly Security Committee meetings to ensure awareness, provide feedback and guidance, and maintain ongoing information security management and oversight. Frequently Asked Questions Learn more about Trulioo data security and privacy. Do all people who interact with the organization’s information system receive security awareness training? Staff members learn the security policy at onboarding, during annual training and in monthly phishing awareness exercises. Does Trulioo separate its development, testing and operational environments? Trulioo logically segregates all client data based on account ID and does not allow client data outside of production. Does Trulioo regularly review audit logs for security events? Trulioo monitoring tools provide alerts for anomalous access and failed access attempts, which are then manually reviewed as required. Trulioo also reviews application error and uptime notifications as needed. Does Trulioo have policies and procedures for all personnel to support information security? Trulioo has a suite of policies governing information security as required by ISO 27001 and supplemented by business operations. Executive leadership signs off on all policy updates and communicates that to all staff members. Does the organization implement password enforcement policies, such as minimum length, complexity, expiration and reuse restrictions? Trulioo requires 12-character passwords that include at least one special character, one numeral and one upper-case letter. Passwords must be changed every 90 days, or 360 days if paired with multifactor authentication. The previous 12 passwords may not be reused. What is SOC 2 Type 2? Service Organization Control Type 2, created by the American Institute of Certified Public Accountants, is a cybersecurity framework that establishes standards for how third-party service providers should securely store and process customer data. What is ISO 27001? The security framework, created by the International Organization for Standardization, assesses a company’s ability to keep its data safe through policies, procedures, training, monitoring, auditing, incident response and communications. Does Trulioo apply access-management rules to the system? Trulioo manages access based on the principle of least privilege and on a need-to-know basis.