← Back to Legal

Security Overview

How we protect your data and your agents.

🛡️
SOC2 Type I
In Progress
🇪🇺
GDPR
Compliant
🔐
ISO 27001
In Progress

Encryption

  • In Transit: All traffic is encrypted using TLS 1.3. We enforce HTTPS for all API endpoints and dashboard access.
  • At Rest: All stored data is encrypted using AES-256. Database volumes, backups, and logs are encrypted by default.
  • API Keys: Never stored in plaintext. Never logged. Managed through a dedicated key management service (KMS) with automatic rotation.

API Key Security

Your API keys are the most sensitive piece of data in the system. We handle them with extreme care:

  • Keys are encrypted with AWS KMS before storage
  • Keys are never written to logs, traces, or error reports
  • Keys are never returned in API responses after initial creation
  • Automatic key rotation is available for enterprise customers
  • Rate limiting and anomaly detection protect against key exfiltration

Compliance

  • SOC2 Type I — In progress. Audit by independent third-party firm. Expected completion Q3 2026.
  • GDPR — Compliant. Data processing agreements available. EU-based customers can request data residency in AWS eu-west-1.
  • CCPA — Ready. California residents may request data access and deletion via privacy@trelo.com.

Vulnerability Management

We take security reports seriously. If you discover a vulnerability, please report it to us immediately.

  • Report to: security@trelo.com
  • Response time: We acknowledge reports within 24 hours
  • Resolution: Critical vulnerabilities are patched within 72 hours
  • PGP Key: Available upon request
Report a vulnerability

Uptime & Reliability

  • Enterprise SLA: 99.9% uptime guarantee with service credits for downtime
  • Pro SLA: 99.0% uptime target
  • Status page: Real-time service status available at status.trelo.com

Infrastructure

  • Hosting: AWS us-east-1 region
  • Network: Private VPC with isolated subnets for each tenant
  • Backups: Hourly encrypted database snapshots retained for 30 days
  • Monitoring: 24/7 automated monitoring with on-call engineer rotation

Third-Party Audits

We undergo annual third-party penetration testing by an independent security firm. The most recent test was completed in Q1 2026. A summary report is available to enterprise customers upon request.

In addition to annual pentests, we run continuous vulnerability scanning on all production infrastructure and dependencies.