Security & Trust

Trst handles sensitive credentials and compliance evidence, so security is foundational to how we build. This page summarises the controls protecting your data. We hold ourselves to the same standards we help our customers meet.

Encryption

Connector credentials are encrypted at rest with AES-256-GCM using a master key kept outside the database. All traffic is served over TLS (HTTPS), with HTTP automatically redirected to HTTPS.

Data residency

Your data is hosted on infrastructure located in India — relevant for DPDP data-residency expectations.

Access control

Access within the platform is role-based and least-privilege. Auditors can be granted read-only access; privileged actions are restricted to administrators.

Evidence integrity

Every piece of evidence is timestamped and SHA-256 hashed, and control-test results are written to an append-only timeline — never overwritten — preserving chain-of-custody for audits.

Activity logging

Every platform action (sweeps, credential changes, exports, logins) is recorded in an immutable activity logfor accountability.

Least access to your systems

We ask only for read-only scopes where possible, and you can revoke any connected credential at any time.

Responsible disclosure

If you believe you have found a security issue, please report it to security@trst.tech. We appreciate responsible disclosure and will respond promptly.

Our own roadmap

Trst is pursuing its own SOC 2 and DPDP posture using the very platform we offer customers — and we'll publish our trust report as it matures.