SOC 2 Type II In Progress

Security & Compliance

TrustRails is built for the security requirements of retirement plan custodians and administrators. Every control, every audit, every encryption layer exists to protect participants’ retirement savings.

Standards & Compliance Readiness

Controls designed and implemented to meet industry frameworks. SOC 2 Type II audit in preparation.

SOC 2 Type IIControls implemented — audit in preparation
ERISA AlignedFiduciary-grade operational controls
AICPA TSCControls mapped to Trust Services Criteria
Security DocumentationDetailed control descriptions available on request

Data Protection

Defense-in-depth encryption for data at rest, in transit, and at the application layer.

Encryption at Rest

AES-256 via Google Cloud KMS with customer-managed encryption keys (CMEK). All Firestore documents, Cloud Storage objects, and backups are encrypted before they touch disk.

Encryption in Transit

TLS 1.3 enforced at the load balancer. All internal service-to-service traffic uses mutual TLS. HSTS headers prevent protocol downgrade attacks.

SSN / PII Vault

Application-level envelope encryption with HSM-backed keys (RSA_DECRYPT_OAEP_3072_SHA256). Social Security numbers and sensitive PII are encrypted before storage and decrypted only in memory for authorized operations.

Key Rotation

Automatic rotation per Cloud KMS schedule. Destroyed key versions are held for 30 days before permanent deletion, ensuring recovery without compromising forward secrecy.

Access Control

Least-privilege access with multi-factor authentication and federated identity.

Identity & Authentication

  • Role-based access control (RBAC) via Keycloak — admin, custodian, and participant roles with granular permissions
  • Multi-factor authentication required for all administrative access
  • SAML SSO supported — Okta, Microsoft Entra ID, Ping Identity, and ADFS
  • 14+ character password policy with 5-attempt lockout and progressive backoff

API Security

  • Tiered API keys with rate limiting — TIER1 (1,000 req/min), TIER2 (500/min), TIER3 (100/min)
  • IP allowlisting available per custodian API key
  • Quarterly access reviews with automated deprovisioning of inactive accounts
  • All API key usage logged with full request context for forensic review

Infrastructure

Serverless, auto-scaling architecture on Google Cloud Platform.

Google Cloud Platform

Hosted in us-central1 with multi-region replication for critical data stores.

Cloud Run (Serverless)

Auto-scaling containers with zero cold-start optimization. Immutable deployments with instant rollback capability.

Cloud Armor WAF

Adaptive DDoS protection, OWASP Top 10 rule sets, and geo-based access policies at the edge.

Multi-Region Firestore

Automatic failover with strong consistency. Point-in-time recovery enabled for all collections.

Recovery Objectives

< 4 hrs
Recovery Time Objective (RTO)
< 1 hr
Recovery Point Objective (RPO)

Documented disaster recovery plan tested quarterly. Automated Firestore backups with cross-region replication ensure data durability.

Audit & Monitoring

Immutable logging, real-time alerting, and continuous vulnerability management.

Logging & Retention

  • Immutable audit logs for all operations — structured event format with correlation IDs designed for SOC 2 readiness
  • 7-year retention for financial and security events, with tamper-evident log integrity verification
  • Centralized logging via Google Cloud Logging with structured JSON entries and PII redaction

Threat Detection

  • Real-time security monitoring via AI-powered agents analyzing authentication patterns and anomalous behavior
  • Automated vulnerability scanning on every deployment via container image analysis and dependency auditing
  • Critical CVE remediation: 24-hour SLA for critical vulnerabilities, 72-hour SLA for high severity

Incident Response

Tested procedures with defined SLAs and transparent communication.

Response Framework

  • Documented Incident Response Plan with severity levels P1 through P4 and defined escalation paths
  • Dedicated SSN vault incident response procedures with isolated containment and key revocation playbooks
  • 72-hour breach notification to affected custodians and participants, in compliance with state and federal requirements

Continuous Improvement

  • Quarterly tabletop exercises simulating realistic breach scenarios including ransomware, insider threat, and supply chain compromise
  • Post-incident root cause analysis (RCA) with documented control improvements tracked to closure
  • Lessons learned integrated into control monitoring and shared with custodian partners upon request

Vendor & Third-Party Risk

Rigorous supply chain management with contractual data protection.

Subprocessors

Google Cloud PlatformInfrastructure, data storage, encryption (KMS / HSM)
DocuSignE-signature for participant and custodian agreements
PersonaIdentity verification and KYC compliance
Arbitrum OneBlockchain settlement layer for transfer finality

Governance

  • Annual vendor security reviews including SOC 2 report analysis, penetration test summaries, and SLA compliance
  • All vendor contracts include data protection addenda, breach notification clauses, and right-to-audit provisions
  • Continuous monitoring of vendor security posture via automated alerting on public disclosures and CVE feeds

Request Our Reports

We provide full transparency to custodian security and compliance teams. Contact us for detailed control documentation.

Request Security DocumentationSubmit Security QuestionnaireSchedule Security Review

Or contact us directly at admin@trust-rails.com