Security

Our Security Commitment

At TruAddress, security isn't an afterthought—it's foundational to everything we build. We understand that you're trusting us with sensitive address data, and we take that responsibility seriously.

Infrastructure Security

Encryption

• In Transit: All API traffic is encrypted using TLS 1.3
• At Rest: All stored data is encrypted using AES-256
• API Keys: Hashed using bcrypt before storage

Network Security

• DDoS protection and rate limiting at the edge
• Web Application Firewall (WAF) for all endpoints
• Private networking between internal services
• No direct database access from the public internet

Access Control

• Role-based access control (RBAC) for all systems
• Multi-factor authentication required for team access
• Quarterly access reviews and privilege audits
• Separate environments for development, staging, and production

Compliance & Certifications

SOC 2 Type II

We maintain SOC 2 Type II compliance, with annual audits by an independent third party. Our report covers:

• Security
• Availability
• Confidentiality

CASS Certification

Our US address validation is CASS-certified by the United States Postal Service, ensuring accuracy and eligibility for postal discounts.

HIPAA Ready

Our infrastructure is designed to support HIPAA compliance. Business Associate Agreements (BAAs) are available for healthcare customers on Enterprise plans.

GDPR Compliant

We comply with GDPR requirements for EU customers, including:

• Data Processing Agreements (DPAs) available on request
• EU data residency options
• Right to erasure and data portability

Data Handling

Data Minimization

We only collect data necessary to provide our services. Address data is processed in real-time and not retained after request completion.

Data Retention

• API request logs: 30 days
• Account data: Duration of account + 30 days
• Billing records: As required by law

Data Isolation

Each customer's data is logically isolated. We never share data between customers or use your data to train models.

Operational Security

Monitoring

• 24/7 infrastructure monitoring
• Real-time alerting for anomalies
• Detailed audit logging for all admin actions

Incident Response

• Documented incident response procedures
• Security team on-call 24/7
• Customer notification within 72 hours for security incidents

Business Continuity

• Multi-region redundancy
• Daily backups with point-in-time recovery
• 99.99% uptime SLA

Secure Development

Development Practices

• Security-focused code reviews
• Dependency scanning for vulnerabilities
• Regular penetration testing
• Bug bounty program (coming soon)

API Security

• API key authentication
• Rate limiting to prevent abuse
• Request validation and sanitization
• CORS and CSP headers

Vulnerability Disclosure

If you discover a security vulnerability, please report it to [email protected]. We commit to:

• Acknowledging receipt within 24 hours
• Providing regular updates on remediation
• Not pursuing legal action for good-faith reports

Security Resources

• API Authentication Guide
• Best Practices for API Keys
• Status Page

Contact

For security questions or to request compliance documentation:

• Security Team: [email protected]
• Compliance Requests: [email protected]

Last updated: January 29, 2026