Trst← Back to home

Privacy Policy

Last updated: 23 June 2026

Trst ("Trst", "we", "us") provides a compliance-automation platform. This policy explains what personal data we process, why, and the rights you have. It is written to align with India's Digital Personal Data Protection Act, 2023 (DPDP) and the EU GDPR.

1. Who we are

Trst is the data fiduciary/controller for personal data processed through our platform. For privacy questions or to exercise your rights, contact our grievance officer at privacy@trst.tech.

2. Data we collect

Account data — name, work email, organization name, and a hashed password. Connector credentials — API tokens/keys you choose to connect (e.g. AWS, GitHub, Okta, Google Workspace), stored encrypted at rest. Evidence & metadata — control-test results, configuration facts and timestamps we collect from systems you connect, to evidence your compliance. Usage data — basic logs of platform actions for security and accountability.

3. Why we process it (purpose & lawful basis)

We process data to provide the service you signed up for (performance of contract), to keep the platform secure, and to meet legal obligations. We do not sell your data, and we do not use your connected-system data for advertising.

4. Where it is hosted

Trst is hosted on infrastructure located in India. We do not transfer personal data outside India except where necessary to provide the service and permitted by law.

5. Security

Connector credentials are encrypted at rest using AES-256-GCM; data in transit is protected with TLS. Access is role-based and least-privilege, evidence is hash-verified and append-only, and platform actions are recorded in an immutable activity log.

6. Retention

We retain personal data for as long as your account is active and as required to provide the service or comply with law. On account closure, we delete or anonymise personal data within a reasonable period, unless retention is legally required.

7. Your rights

Subject to applicable law, you may request access to, correction of, or erasure of your personal data, withdraw consent, and raise a grievance. To exercise these rights, email privacy@trst.tech. We respond within statutory timelines.

8. Sub-processors

We use a limited set of infrastructure sub-processors (e.g. our hosting provider and email delivery) under data-processing agreements. A current list is available on request at privacy@trst.tech.

9. Children's data

Trst is a business tool and is not directed to children. We do not knowingly process the personal data of children.

10. Changes

We may update this policy from time to time. Material changes will be notified through the platform or by email.

This document is a good-faith template tailored for Trst and should be reviewed by qualified legal counsel before relying on it for a production service.