Your inventory data is critical to your business. We protect it with the same security standards used by banks and healthcare companies.
All stored credentials and sensitive data are encrypted at rest using AES-256-GCM with authenticated encryption.
All data transmitted between your browser and our servers is encrypted using TLS 1.3 with HSTS preloading.
Hosted on Vercel's edge network and Supabase (AWS us-east-1). Your data never leaves US data centers.
Automated daily database backups with 30-day retention. Point-in-time recovery available.
Every database table enforces row-level security. Organizations can only access their own data — enforced at the database level, not just application code.
Granular RBAC with 20 discrete permissions across four default roles (Owner, Admin, Manager, Viewer). Custom roles supported. Financial data, exports, and admin features are gated per-permission.
All API endpoints are rate-limited to prevent abuse. Login attempts, data exports, and sync operations have strict per-org and per-IP limits.
All user inputs are validated and sanitized. File uploads restricted to approved types with size limits. CSV injection prevention on all exports.
Every significant action — logins, exports, syncs, setting changes — is logged with timestamps, user identity, and IP address for compliance review.
Powered by Supabase Auth with bcrypt password hashing, email verification, and secure session tokens.
Sessions expire after inactivity. Users can view active sessions and sign out all devices from settings.
New team members must be invited by an Owner or Admin. No self-registration to organization accounts.
We are actively working toward SOC 2 Type II certification for our platform.
SOC 2 Type II certified. HIPAA compliant infrastructure.
SOC 2 Type II certified. ISO 27001 certified.
PCI DSS Level 1 certified — the highest level of payment security.
SOC 2 Type II certified. Your data is never used for model training.
You own your data. We never sell, share, or use your inventory data for any purpose other than providing the service.
AI analysis runs per-organization. Your data is never mixed with other customers'. OpenAI does not train on your data.
Download a complete backup of all your data (products, sales, POs, forecasts) as CSV files. Request full deletion at any time.
California residents can request access to, deletion of, and opt-out of sale of personal information.
We monitor our systems 24/7 using Sentry error tracking, Vercel uptime monitoring, and automated health checks.
In the event of a security incident, we will notify affected customers within 72 hours via email with full details and remediation steps.
Report security vulnerabilities: security@tru-stock.ai