Security & compliance
Where the data lives — and what it doesn’t.
Written for procurement, IT security, and legal reviewers. No marketing wrapper — facts as they stand today, including the things we don’t yet claim.
Forwardable URL. If your security team needs a vendor questionnaire or a counter-signed DPA, see Contact at the bottom.
Sub-processors
Where your data is processed.
The full list of third parties that touch subject or respondent data, with region and transfer basis. Anthropic is in the United States and is covered by Standard Contractual Clauses; everything else is in the EU.
| Service | Purpose | Region | Transfer basis |
|---|---|---|---|
| Supabase | Managed Postgres (subject + respondent data, RLS-enforced), passwordless auth. | EU | Within the EU. |
| Anthropic | LLM inference for the Criteria Designer, Interviewer, and Synthesizer. | United States | EU → US under Standard Contractual Clauses, signed Anthropic DPA. Messages API only — no Batch, Files, server Memory. |
| Resend | Transactional email (magic-link sign-in, respondent invites, reminders). | EU | Within the EU. |
| Stripe | Payment processing for the $50 one-off and $100/yr plans and for-teams license pools. | United States (Stripe global infrastructure) | EU → US under Standard Contractual Clauses. Card data is collected by Stripe directly; Trueings never sees or stores card details. |
| PostHog | Product analytics (event counts only — cookieless, no session recording, no autocapture, no per-person profile). | EU (eu.i.posthog.com) | Within the EU. |
Hosting: the application itself runs on managed serverless infrastructure (Vercel). No customer feedback content is stored in application logs; the canonical store is Supabase.
Retention
What we keep, for how long, and what we don’t.
Raw transcripts are deleted by a scheduled database job 30 days after each campaign’s synthesis. The job runs daily and is auditable. After it runs, the campaign cannot be re-synthesised — only the anonymised report remains.
Raw respondent transcripts
30 days after a campaign’s synthesis is finalised
Purged daily by a scheduled database job. After purge, the campaign cannot be re-synthesised; only the anonymised report remains.
Synthesised report (themes, Johari map, dev plan)
Lifetime of the subject’s account
Identifier-scrubbed by the mandatory Confidentiality Guard pass. The subject can export or delete it at any time.
Account, consent, billing records
Lifetime of the account + the period required by EU tax / consumer law
Tied to the subject; deleted on account erasure subject to statutory retention.
Aggregated operational logs (no respondent content)
Up to 90 days
Used for incident response and abuse detection. No respondent answers; no feedback content.
Confidentiality is architectural
Enforced in code, not by policy.
The product can’t leak feedback to the wrong party because the wrong party isn’t in the data path. These are structural guarantees, not commitments.
- Row-level security on every sensitive table. Default-deny, narrow policies; the database itself rejects cross-account reads.
- The Synthesizer never sees respondent identity. It receives evidence text only — no names, no email addresses, no link back to who said what — so even an arbitrary prompt cannot exfiltrate what isn’t in its context.
- A deterministic Confidentiality Guard runs before the subject sees anything. It enforces the minimum-respondent threshold, the soft-gate detail reduction, and a final identifier scrub. It is not an LLM judgement.
- For-teams: the firm’s portal is content-blind by design. It exposes redemption count and completion rate only — never identity, content, or themes.
Authentication & access
Passwordless, scoped, audited.
- Subjects sign in via single-use magic links to a verified email. No passwords are stored or accepted. Magic-link issuance is rate-limited and silent-fails on enumeration probes.
- Respondents do not have accounts. Each invite is a signed, audience-scoped, single-use JWT bound to one specific response; the algorithm is pinned, and tokens are invalidated on submit.
- Firm administrators authenticate the same way as subjects — magic link to a verified email — into a separate, content-blind portal.
- Operator access is limited to a small number of named staff via an environment-gated admin surface. Staff do not access feedback content in the normal course of operation; database access is logged.
Encryption & transport
Standard, end-to-end.
- In transit: TLS 1.2+ for every connection — browser ↔ application, and application ↔ each sub-processor.
- At rest: encryption is provided by each sub-processor (linked in the table above) — Supabase-managed Postgres, Vercel-managed runtime, Resend, Stripe, PostHog.
- Card data: handled by Stripe directly via Checkout. Trueings never sees or stores card numbers.
- Secrets: application secrets live in the platform’s encrypted env store; the service-role database key never reaches the browser.
What we don’t claim
The things we’d rather you read here than not at all.
The opposite of a marketing security page. If a control or certification isn’t below, assume we don’t have it yet — and if it’s important to your review, tell us and we’ll say what the plan is.
No SOC 2
We have not completed a SOC 2 audit. Type I is scoped for the B2B2C mid-market phase; we will publish the report when it’s ready and not before.
No ISO 27001
Not pursued for the beta. We will reconsider when buyer demand makes it material.
No formal DPIA on file
A Data Protection Impact Assessment is reserved for healthcare expansion. The current product is GDPR-by-design (confidentiality enforced structurally, not via policy) and is documented as such in the Privacy notice and DPA.
No anti-bot CAPTCHA on the sign-in form yet
Magic-link sign-in is rate-limited and silent-fails on enumeration attempts; a CAPTCHA is on the roadmap.
Anthropic Zero-Data-Retention: requested, verification pending
Our Anthropic org is on the Commercial tier and we have requested ZDR. The Privacy notice and DPA will be updated, and existing subjects re-consented, the moment ZDR coverage is confirmed.
Independent security review
Reviewed at source before launch.
The codebase underwent a source-level security review on 2026-05-19. No Critical findings were identified. All High-severity and Medium-severity items raised by the review have been remediated, with one exception that is documented and accepted as a monitorable residual rather than prevented (a sock-puppet edge case against the anonymity minimum).
The review focused on authentication, the interview engine, the Confidentiality Guard, billing, and abuse-prone surfaces. We can share the scope and remediation summary on request as part of a vendor questionnaire.
Breach notification
72 hours, in writing, with what we know and what we’re doing.
If we become aware of a personal-data breach affecting subject or respondent data, we will notify the relevant controller without undue delay and within 72 hours where the breach is likely to result in a risk to data subjects, in line with Article 33 of the GDPR. The procedural commitments are in the Data Processing Agreement.
Legal documents
The contract and the disclosures, in one place.
Privacy notice
What we process, why, for how long, your rights — for subjects and respondents.
Terms of service
The contract for subjects using Trueings directly.
Master Subscription Agreement
The contract for firms buying a license pool for their people.
Data Processing Agreement
Roles, sub-processors, retention, transfers, security measures, breach notification.
Contact
For your security team.
For a vendor questionnaire, a counter-signed DPA, a sub-processor change-notification subscription, or any question this page doesn’t answer, email teams@trueings.com. We respond within two business days.
For data-subject requests (access, deletion, portability), subjects use the in-product privacy controls; respondents and third parties can email privacy@trueings.com.