Truework Security and Trust Overview
At Truework, the security and integrity of our customer’s data are built into the foundation of Truework’s service and culture. We believe in empowering individuals to own and control their personal information in a safe and secure way. Through this belief, Truework strives to be the trusted and secure source for consumer income and employment verifications.
Protecting customer and consumer data is imperative to Truework’s products and services and is also built into our company’s DNA as a regulated Consumer Reporting Agency (CRA). The Truework mindset and mission of considering the consumer first and building the future reinforces and fortifies our internal culture of Security and Privacy. These Security and Privacy concepts at Truework are not just a team but a cultural mindset spanning the business.
Truework has been invested in protecting the data we steward since inception, achieving ISO 27001 and SOC 2 certifications within two years of founding in 2019. Today, Truework continues to build upon those early investments through expanded headcount, internal compliance activities, and embedded Security Engineers who actively contribute to Truework’s Products and Services while also automating the necessary tools and tests to ensure that security is built into the Truework Product, and Service stack. Truework engages with industry partners to build more effective, efficient frameworks and tools such as the OF-DSS in cooperation with other leaders in the space, with the goal of lifting the security posture of businesses around us and driving common sense security and privacy practices throughout our partner and customer ecosystems.
Some tools, techniques, and processes that are core to Truework include:
• Truework’s security and trust pillars: Data protection, cyber resiliency, and trust
• Field-level encryption is in use for all sensitive data
• Tokenization of PII in our infrastructure
• Encryption at Rest (AES-256) in use on all sensitive data
• Encryption in Transit (TLS 1.2) enforced across external facing services
• Principle of least privilege implemented for access control
• A strong Secure Development Life-Cycle (SDLC)
• Regular penetration tests and vulnerability scanning
Organizational Security
A Dedicated Team of Experts in Security
Founded in 2017, Truework has made security-conscious investments since the very beginning. Truework currently employs 7 full-time security, risk, and compliance professionals who are a part of the software engineering and product division.
At Truework, we deliver services through the Security and Trust organization. This organization delivers data protection and cyber resiliency features to the product and business. The team is tasked with maintaining the company’s defenses, driving and maintaining security processes and SDLC while building out security infrastructure, testing, and tooling for implementing Truework’s security policies. The Truework Risk and Compliance team works to drive strategies tailored to meet the needs of the business and its customers.
The Security and Trust organization leaders have decades of experience in venture-backed startups and large public enterprise companies. Truework strives to build and maintain a strong security culture. The influence of this culture is apparent throughout the organization and product build.
This white paper is divided into data protection, cyber resiliency, and trust. The data protection section includes details on the organization’s strategy. It details how privacy by design and data security is put in place at all levels of the organization.
The cyber resiliency section describes how Truework anticipates, withstands, and recovers from adverse conditions, attacks, or compromises of sensitive systems.
Lastly, the trust section details the methods Truework uses to offer customers assurance throughout the service, utilizing risk as the strategic cornerstone and language that translates across the business.
Data Protection
Data protection is a set of strategies and processes you can use to secure your data’s privacy, availability, and integrity At Truework, we implement data protection as a top-level strategy to build a security and privacy program that is cohesive and conveyable.
Below is a list of strategies that are implemented into Truework’s data privacy and security strategy:
• Security: PBkDF2 Field Level encryption, AES 256 at rest, TLS 1.2 in transit, activity monitoring, incident response, anomaly detection, Intrusion Detection System (IDS), patch management, vulnerability management
• Privacy: FCRA, Data Classification, Principle of Least Privilege, Data minimization, Data Quality Procedures, Data Deletion Strategies, Privacy Centric Policies, 3rd Party Risk Management, Consumer Consent, Employee Training and Awareness
Below are more details on the strategies:
Principle of Least Privilege
• Ensures that the minimum amount of information is released for the transaction
• People and processes with robust and granular permissions model for Truework staff
• Access to data and reports is gated via approvals and is time-boxed
• Access to production systems is heavily gated, monitored, and limited in scope
Data Residency & Portability
All data is stored and processed only in the US and will not be transferred outside the US. Truework is 100% hosted on AWS. Our data is located in the United States AWS regions.
Data Security: Encryption & Data Anonymization
• Encryption at Rest (AES-256) is in use on all sensitive data
• Encryption in Transit (TLS 1.2) enforced across external facing services
• Field-level encryption in use for sensitive data
• Tokenization of PII in our infrastructure
Architecture
• We are a cloud-native company with a multi-tenant service fully hosted on AWS. Truework collects only the data required to deliver products and services to its customers.
• Truework operates as a Consumer Reporting Agency (CRA) under the Fair Credit Reporting Act (FCRA). The FCRA has strict requirements for the sharing of consumer data.
• The entire application of Truework follows a secure software development lifecycle. All code is reviewed and tested before deployment. Secure code reviews are based on OWASP Secure coding guidelines, which cover input validation, output encoding, changes in authentication, password management, session management, access control, cryptography, etc.
Physical Security
We use AWS exclusively, which provides physical safeguards, environmental safeguards, infrastructure support and management, and storage services supporting the system. For additional information, please see AWS’s Security Whitepaper.
For Truework offices, we have badge readers, cameras, and an alarm system as physical security measures. We also have self-closing/locked doors on entry and egress points, as well as RFID access readers with employee-issued digital passes. To gain access to our office, visitors require an appointment, and employees are given access cards.
Secure Software Development Lifecycle & Automated Analysis
Truework has authored and maintained a documented System Development Life Cycle (SDLC) and Secure Engineering Principles Policy. Infrastructure is managed as Code through Terraform Cloud. All code is managed and reviewed centrally, with proper approvals required prior to merging. Manual and security code reviews are done for new architectures, integrations, and new products, as well as changes to existing systems that have potential for security impact.
We train our engineers and document our process, maintain a secure development policy, mandatory structured design, code review, and security reviews. Static analysis, automated testing, and automated deployment are done.
Authentication
Truework has a centralized identity management store for provisioning and access control to general systems. Truework employees use SSO exclusively to access administrative functions. Truework SSO enforces strong second factors, including but not limited to: Mobile Push, TOTP, and FIDO2.
Endpoint Security
All endpoints are centrally configured and managed via MDM. In addition, all devices are ensured to have endpoint protection, data loss prevention, antivirus and security settings, and profiles managed through the solution.
Cyber Resiliency
Strategic security technologies and core processes of Truework’s cyber resiliency are broken into 3 categories: Protect, Detect and Respond. There are various technologies and strategies utilized in each, as listed below.
• Protect: Least privilege, encryption, segmentation, backups, patching, change control, documentation, authentication
• Detect: EDR, VPC Flow, Centralized Logs, Monitoring & Alerting, Open source analysis, static analysis, container analysis, change management
• Respond: SIEM/Runbooks, BC/DR, IR, Vulnerability Management, Incident Notification, Horizon scanning, Risk Analysis; Internal and External Incident Response, Disaster Recovery, Business Continuity Plan, Cyber Insurance
Below are more details on the strategies:
Business Continuity & Disaster Recovery, Availability and Uptime Truework leverages AWS redundant infrastructure to ensure availability and protect against data loss. Their data centers are monitored 24/7, and access is strictly controlled to authorized individuals. Data backups are held in multiple secure locations to ensure redundancy and availability. Our recovery point (RPO) target is twenty-four (24) hours, and our recovery time objective (RTO) is two (2) hours. Our business continuity tests and plans are assessed for effectiveness at least annually. In addition, our recovery plans are reviewed at least annually or when significant changes are introduced to our environment.
Truework maintains an internal availability target of 99.9% or above.
Any downtime is resolved within minutes, if not hours. Customers are notified if the Truework service is scheduled to go through a significant period of downtime for an unforeseen reason.
Vulnerability Management
Truework conducts security reviews on its environment, web applications, and supporting assets periodically. There are appropriate measures for infrastructure monitoring and alerting 24 hours a day, 7 days a week. Vulnerability scans are conducted before code commit and prior to application deployment. Truework’s systems and services are architected so that all system components are automatically updated at least weekly.
Secure Deletion
Truework ensures that our customer data is securely disposed of upon request. We support a secure deletion process and this is handled by AWS. Truework retains customer data for a minimum period based on its data classification. Data will be retained as long as necessary to provide the service; in the event of the ending of service, the data will be deleted or returned. Data is retained as required by Fair Credit Reporting Act (FCRA) and other applicable regulations, laws, commitments, and contractual obligations.
Data Access and Restrictions
Truework operates as a Consumer Reporting Agency (CRA) and must adhere to the Fair Credit Reporting Act (FCRA). The FCRA has strict requirements for the sharing of consumer data pursuant to specific permissible purposes. As part of assessing whether a requesting party has a permissible purpose, the requesting party is vetted and confirmed to be legitimate. In addition to these requirements, Truework requires that each disclosure of consumer data be authorized by consumer consent.
Employees must authorize the release of information, ensuring their data is never used without explicit consent. Strict system-wide permission controls ensure that data access is restricted and only authorized personnel have access.
Truework follows the least privilege principle, and privileged access is only granted to people with a business need. Centralized identity and access management systems are used to restrict access to the systems and services within the environment. If a Truework employee requires access to a customer’s data to help process or troubleshoot verifications, access is monitored, logged, and only granted on an as-needed basis.
Trust
Truework uses a risk-based approach in how it delivers its products and services, not just for the minimum processes and policies required to deliver its security frameworks. The founding team demonstrates its commitment by heavily investing in the Security, Risk, and Compliance teams. Best-of-breed security technology is used wherever possible to enhance transparency and provide resilience and control over Truework systems and customer data. This commitment to managing risk and providing transparency to customers is an ongoing process. This accounts for an evolving threat landscape, which Truework is nimble enough to meet — architecturally, technically, as well as philosophically in how it treats and manages risks.
Truework is a Consumer Reporting Agency (CRA)
• Adherence to FCRA
Data accuracy & governmental programs
• Fannie Mae Day 1 Certainty® (D1C)
Independent third-party certifications
• AICPA SOC2 (since 2019)
• ISO 27001 certified (since 2019)
Security Culture and Awareness
Subject to applicable law, Truework conducts background checks for new hires. We also engage in a tiered interview process to assess the candidate’s qualifications and competence for the role.
Once new hires have accepted an offer of employment, they are enrolled in onboarding training. Truework’s security and privacy awareness program consists of mandatory training for all new hires, annual participation for existing employees, and role-based training for specialized functions.
All new employees are required to review and acknowledge all policies, procedures, handbooks, and confidentiality agreements as a condition of employment.
Ready to learn more?
Talk to our team to learn how Truework can simplify your income verification strategy.
