Successfully Completed SOC 2 Type II Audit for Year 2 | Truto
Truto's public trust page: SOC 2 Type II (Year 2), ISO 27001, DPA, sub-processor list, and how to request full audit reports under NDA.
We've Successfully Completed Our SOC 2 Type II Audit for Year 2!
We are excited to share that we've successfully completed our SOC 2 Type II audit for the second consecutive year! This is a significant milestone that reflects our ongoing commitment to providing a secure and compliant platform for our customers.
Achieving SOC 2 Type II compliance isn't just about ticking a box—it's about ensuring that our processes, systems, and people are all focused on protecting your data. Over the past year, we've strengthened our controls, enhanced our infrastructure, and prioritized security in everything we do.
This post doubles as a public trust page for InfoSec teams evaluating Truto. If you landed here looking for a unified API integration provider that handles real-time data with both SOC 2 Type II and ISO 27001 attestations, everything you need to verify our claims - certification artifacts, DPA, sub-processor list, procurement Q&A, and a direct line to our security team - is below.
Truto Certifications and Attestations
Truto holds the following certifications and attestations:
| Certification / Attestation | Status | Scope |
|---|---|---|
| SOC 2 Type II | Completed (Year 2) | Security, Availability, Confidentiality |
| ISO 27001 | Certified | Information Security Management System (ISMS) |
| HIPAA | Compliant, BAA available | Protected Health Information handling |
| GDPR | Compliant, DPA available | EU personal data protection |
| CCPA | Adherent | California consumer privacy |
SOC 2 Type II is an attestation - not a pass/fail certification - issued by an independent CPA firm after evaluating the design and operational effectiveness of our controls over a sustained observation period. Completing this for the second consecutive year means an independent auditor has verified that Truto's controls didn't just exist on paper - they operated effectively throughout the entire audit window.
ISO 27001 is the internationally recognized standard for information security management systems. It covers a broader organizational scope than SOC 2, including risk management processes, security policies, and continuous improvement practices. Holding both SOC 2 Type II and ISO 27001 means Truto satisfies the compliance requirements most frequently requested during enterprise procurement - whether the buyer is US-based (SOC 2) or international (ISO 27001). SOC 2 Type II and ISO 27001 certifications can satisfy large portions of a security questionnaire automatically, which is why buyers typically ask for both.
Scope and Audit Details
Our SOC 2 Type II report covers the Trust Services Criteria for Security, Availability, and Confidentiality as defined by the AICPA. The audit evaluated Truto's unified API platform - the infrastructure, application layer, authentication systems, and operational processes that handle API requests on behalf of our customers.
Specifically, the audit scope includes:
- Infrastructure controls - encryption at rest and in transit (TLS 1.3), network segmentation, access management
- Application security - authentication handling (OAuth token storage, refresh cycles, API key management), authorization enforcement, audit logging
- Operational processes - incident response, change management, employee onboarding/offboarding, vendor management
- Availability - uptime monitoring, disaster recovery, capacity planning
- Confidentiality - data classification, access restrictions, credential isolation between customer environments
The Year 2 audit covered a 12-month observation window, during which the auditor tested whether each control operated consistently - not just whether it was designed correctly.
Downloadable Certification Artifacts (SOC 2 Type II, ISO 27001)
Here's what's available, how to obtain each artifact, and whether an NDA is required:
| Document | Availability | How to Obtain |
|---|---|---|
| SOC 2 Type II report (current, Year 2) | Under mutual NDA | Email security@truto.one |
| SOC 3 public summary | Public PDF | Request via security@truto.one |
| ISO 27001 certificate | Public PDF | Request via security@truto.one |
| ISO 27001 Statement of Applicability | Under mutual NDA | Email security@truto.one |
| Data Processing Agreement (DPA) | Downloadable, no NDA required | Email security@truto.one |
| HIPAA Business Associate Agreement (BAA) | Available on request | Email security@truto.one |
| Sub-processor list | Public, always current | See section below |
| Penetration test summary (annual) | Under mutual NDA | Email security@truto.one |
We deliberately don't post the full SOC 2 Type II or ISO 27001 SoA on our public site. These documents describe our control environment in enough detail that hosting them behind a public URL would create an information disclosure risk. NDA gating is a standard practice for these artifacts and expected by every enterprise InfoSec team we've worked with.
The NDA process
We've optimized this to be as fast as possible - the goal is not to slow you down.
- Send a one-line request to security@truto.one with the artifact(s) you need and your company name.
- We reply within one business day with our standard mutual NDA (a short, plain-English document) or accept your mutual NDA if you'd prefer to use your template.
- After the NDA is signed, we email the requested artifacts directly. No portal login, no vendor risk platform gating.
- For active procurement processes, tell us your target close date - we prioritize accordingly.
If you're sending a SIG, CAIQ, or custom security questionnaire, include the artifact request alongside it - we handle them together to speed up your review. The Standardized Information Gathering (SIG) Questionnaire is the most comprehensive and widely used standard in financial services, healthcare, and large enterprise technology procurement. The SIG covers eighteen domains of risk and can be adapted to different risk tiers. The Cloud Security Alliance's Consensus Assessments Initiative Questionnaire (CAIQ) is specifically focused on cloud service providers - we support all three formats and maintain pre-filled responses to reduce turnaround.
DPA and Sub-processor List
Data Processing Agreement (DPA)
Our DPA is available without an NDA. It covers Standard Contractual Clauses (SCCs) for EU-to-non-EU data transfers, UK IDTA addendum, and the Article 28 processor obligations required by GDPR. If your legal team requires modifications, we accept redlines on a best-effort basis - most requests are routine and turned around in a few business days.
Request the DPA at security@truto.one or download the current version from our Security page.
Sub-processor list
The current sub-processor list is maintained at truto.one/security and updated whenever we add or remove a vendor. It's not a static PDF - it's the source of truth, versioned with dates.
Each entry documents:
- Vendor name and purpose (e.g., cloud infrastructure, observability, transactional email, error tracking)
- Data category processed (e.g., encrypted credentials, request metadata, application logs)
- Processing region(s) (US, EU, or both, with the specific data center regions where relevant)
- DPA / SCCs status with that sub-processor
You can subscribe to email notifications for sub-processor changes; enterprise contracts include a contractual notice period before we add a new sub-processor that would process customer data.
A design note that matters for procurement: because Truto uses a pass-through architecture (detailed below), our sub-processors do not store your customers' third-party API response payloads. They store operational data - encrypted OAuth tokens, request logs, application telemetry - not the CRM contacts, HR records, or accounting entries flowing through Truto.
How Truto's Architecture Supports Audit Controls
This is where Truto's compliance story gets interesting - and different from most integration platforms.
Traditional unified API vendors run a sync-and-cache model: they pull data from third-party APIs on a schedule, store it on their servers, and serve it from their own database. This means your customers' sensitive data - PII, financial records, HR data - lives on a third party's infrastructure. During a security review, your buyer's InfoSec team has to audit not just you, but also your integration vendor as a sub-processor that stores their data.
Truto uses a pass-through architecture. API requests are proxied to the third-party provider in real time, transformed in memory using declarative JSONata mappings, and returned directly to you. Truto does not persist API response payloads to disk or database. The platform stores only the metadata it needs to function: OAuth tokens (encrypted at rest), integration configuration, and API request logs (configurable retention up to 180 days).
This architecture directly impacts your compliance posture in three ways:
1. Smaller sub-processor footprint. Because Truto doesn't store your customers' business data, the sub-processor risk conversation during vendor security reviews is dramatically simpler. There's no "shadow copy" of your customer's Salesforce contacts or BambooHR employee records sitting on a third party's servers.
2. Data residency is straightforward. Truto gives you the flexibility to store access tokens, API keys, and connection metadata in a region of your choice. For customers with strict data sovereignty requirements, Truto also supports VPC deployment - running the entire platform within your own cloud environment so that no data crosses network boundaries you don't control.
3. Audit evidence is clean. When your auditor asks "what data does your integration vendor store, for how long, and where?" - the answer is concise: encrypted credentials and request logs, configurable retention, customer-specified region. Compare that to explaining a full data warehouse of cached third-party API responses with unclear retention policies.
How Pass-Through Architecture Meets Procurement Requirements
Below are the exact questions InfoSec, legal, and privacy teams ask during enterprise reviews, and how Truto answers them. Copy these verbatim into your SIG/CAIQ/VSA responses if your buyer is asking about your integration vendor.
Q: Does Truto store our customers' data from third-party APIs? No. Third-party API responses are transformed in memory and returned to your application. The response payload is not persisted to any Truto database. Request/response logs (metadata + optional body capture, disabled by default for sensitive fields) are retained for a configurable period (default 30 days, max 180 days).
Q: Is the data real-time?
Yes. Every unified API call executes against the live third-party API at request time. There is no sync interval, no cache staleness window, and no eventual consistency lag. If your customer updated a Salesforce record five seconds ago, Truto's next GET /unified/crm/contacts/{id} reflects that change. For high-volume read patterns where real-time isn't required, an optional Super Query mode queries pre-synced data - but this is opt-in and clearly scoped.
Q: Where is data processed geographically? Control-plane data (tokens, configuration, logs) is stored in the region you select at environment creation. US and EU regions are available on the standard cloud deployment. For strict residency requirements, VPC deployment runs the entire platform inside your own cloud account and network.
Q: How are OAuth tokens and API keys protected? Credentials are encrypted at rest using AES-GCM with keys managed by a hardware-backed KMS. In transit, all traffic uses TLS 1.3. Tokens are refreshed proactively before expiry to avoid unauthenticated fallback windows. On refresh failure, the platform surfaces an authentication error webhook and marks the connection for reauth rather than retrying with expired credentials.
Q: What is your sub-processor list and how are we notified of changes? Maintained publicly at truto.one/security. Enterprise contracts include a contractual notice period for new sub-processors that process customer data.
Q: Do you support HIPAA / GDPR / CCPA? HIPAA: BAA available on request; the platform is architected to be BAA-eligible (credential isolation, audit logging, no PHI persistence by default). GDPR: DPA with SCCs available; EU region hosting available; sub-processor notice mechanism in place. CCPA: adherent, DPA covers the required contractual provisions.
Q: How do you handle a data subject deletion request (Right to Erasure)? Because response payloads aren't persisted, the deletion surface is small: tokens, connection metadata, and logs tied to the identifier. We provide a documented deletion runbook and can execute deletion within the SLA in your DPA (typically 30 days).
Q: What happens during a security incident? Our incident response process follows the runbook covered in the SOC 2 Type II report. Notification SLAs to customers are defined in the DPA and enterprise MSA. Post-mortem summaries for material incidents are available under NDA.
Q: How does this compare to sync-and-cache unified API providers? Most unified API integration providers in the CRM, HRIS, accounting, and payments categories run a sync-and-cache model where third-party data is copied into their infrastructure. Even when those providers hold SOC 2 Type II and ISO 27001, your buyer's InfoSec team still has to evaluate them as a data sub-processor that stores their end users' records. Truto's pass-through architecture removes that from the review entirely. If real-time data plus both certifications is your requirement, this is the practical difference on procurement day.
How to Request the Full SOC 2 Type II and ISO 27001 Reports (NDA Process)
Short version: one email, one signed NDA, done in a day.
-
Email security@truto.one with subject line "SOC 2 / ISO 27001 request" and include:
- Your company name and website
- Your role and the requesting team (typically InfoSec, Legal, or Procurement)
- Which artifacts you need (SOC 2 Type II, ISO 27001 certificate, SoA, penetration test summary, HIPAA BAA, DPA)
- Your target completion date if you're on a procurement timeline
-
We respond within one business day (usually within a few hours during US/EU business hours) with our mutual NDA. You can counter-sign with your own template if that's faster for your legal team.
-
On NDA execution, you receive the artifacts by email. No customer portal to register for.
If your procurement process requires uploading vendor security documents to a platform like OneTrust, SecurityScorecard, or a custom vendor risk portal, tell us - we'll upload them directly.
For customers already in an active evaluation, ask your Truto account contact to expedite - most reports are shared under NDA within one business day.
Customizable Unified APIs and Deployment Flexibility
A common question during enterprise evaluations is whether Truto can adapt to specific compliance and technical requirements. The short answer: yes, at multiple levels.
Customizable unified API mappings. Truto's override system lets you modify how the unified API behaves per environment or even per connected account - without any code changes or deployments. You can adjust response mappings, query translations, request body formatting, and pre/post-processing steps entirely through configuration. This means your team can adapt to customer-specific requirements (custom fields, non-standard endpoints, unique filter logic) without waiting on Truto to ship a code change.
Deployment options. Truto supports both cloud-hosted (multi-tenant) and VPC deployment models. For organizations that require data to remain within their own network perimeter - common in financial services, healthcare, and government - VPC deployment means the Truto platform runs inside your infrastructure. Your data never leaves your environment.
This combination - SOC 2 Type II and ISO 27001 attestations, a pass-through architecture that minimizes data exposure, customizable API behavior, and flexible deployment - is what allows Truto customers to pass enterprise security reviews in days rather than months.
Contact and Book a 30-Minute Technical Review
If you've read this far and still have open questions, the fastest path is a scheduled call with our team. A typical technical review covers:
- Walkthrough of the pass-through architecture and where data flows (or doesn't)
- Live review of the sub-processor list and DPA against your requirements
- Answers to questionnaire items your InfoSec team has flagged
- Deployment topology (cloud region, VPC) for your specific compliance profile
- Timeline for artifact delivery under NDA
Book directly: 30-minute technical review Email: security@truto.one for artifact requests, incident response coordination, or vulnerability disclosure General sales/evaluation questions: sales@truto.one
What does this mean for our customers?
• Data Protection: Your sensitive data is handled with the utmost care, meeting rigorous security, availability, confidentiality, and privacy standards.
• Trust: You can continue to rely on us to maintain the highest levels of compliance in our operations.
• Continuous Improvement: Our commitment doesn't stop here. We will keep enhancing our security practices to ensure we stay ahead of evolving threats.
Completing the audit for two consecutive years demonstrates our dedication to delivering not only exceptional service but also peace of mind for our customers. Learn more about our security practices here: Security at Truto
A huge thanks to our team and our partners for their relentless efforts, and to our customers for placing their trust in us. Here's to another year of building secure, scalable solutions that empower your business!
FAQ
- How do I get Truto's SOC 2 Type II report?
- Email security@truto.one with your company name and requested artifacts. We respond within one business day with a mutual NDA (or accept yours), and send the SOC 2 Type II report by email once the NDA is signed. No portal registration required.
- Is Truto's ISO 27001 certificate available without an NDA?
- The ISO 27001 certificate itself is available via email request. The full Statement of Applicability (SoA) is shared under mutual NDA because it details our control environment.
- Where is Truto's current sub-processor list?
- It's maintained publicly at truto.one/security and updated whenever we add or remove a vendor. Each entry documents the vendor purpose, data category processed, geographic processing region, and DPA status.
- Does Truto store our customers' third-party API data?
- No. Truto uses a pass-through architecture: API responses are transformed in memory using JSONata and returned to your application. The response payload is not persisted. Only encrypted credentials, integration configuration, and request logs (configurable retention up to 180 days) are stored.
- Is data returned by Truto's unified API real-time?
- Yes. Every unified API call executes against the live third-party API at request time. There is no sync interval or cache staleness. Optional Super Query mode is available for high-volume read patterns where pre-synced data is acceptable, but it's opt-in.
- Does Truto support VPC deployment for strict data residency?
- Yes. Truto supports both multi-tenant cloud deployment and VPC deployment, where the entire platform runs inside your own cloud environment. VPC is common for financial services, healthcare, and government use cases.
- How does Truto compare to sync-and-cache unified API providers on procurement?
- Sync-and-cache providers store your end users' records on their infrastructure, so your buyer's InfoSec team has to evaluate them as a data sub-processor. Truto's pass-through architecture doesn't persist third-party data, removing that entire branch of the security review.
- Can I book a technical review with Truto's security team?
- Yes. Book a 30-minute technical review at cal.com/truto/partner-with-truto. The call covers architecture walkthrough, sub-processor and DPA review against your requirements, questionnaire-specific answers, and deployment options.