Security & Compliance
Last Updated: December 27, 2024
Security Overview
Truvana is built with security at its core. As a platform serving California K-12 school districts, we understand the critical importance of protecting sensitive employee and personnel data. Our security practices are designed to meet the rigorous requirements of public education institutions.
Data Encryption
Encryption in Transit
All data transmitted between your browser and Truvana servers is encrypted using industry-standard transport layer security. We enforce secure connections for all communications.
Encryption at Rest
All data stored in our systems is encrypted at rest using strong encryption standards. This includes employee records, personnel files, and uploaded documents. Encryption keys are managed using industry-standard key management practices.
Education Sector Compliance
FERPA
While Truvana primarily handles employee (not student) data, we maintain FERPA-compliant practices to support school districts. Our platform is designed to be used within district-designated systems with appropriate access controls.
California Education Code
Truvana is designed with California Education Code requirements in mind, including provisions related to personnel records, evaluation procedures, and progressive discipline.
Student Online Personal Information Protection Act (SOPIPA)
Although Truvana is an HR platform and does not directly collect student data, we maintain awareness of SOPIPA requirements to ensure our platform does not inadvertently expose student information through personnel records.
Infrastructure Security
Data Center Security
- Hosted on enterprise-grade cloud infrastructure
- US-based data centers with enterprise-grade security
- Physical security including 24/7 monitoring and controlled access
- Redundant power and network connectivity
Network Security
- Web Application Firewall (WAF) protection
- DDoS mitigation
- Intrusion detection and prevention
- Regular security assessments
Access Control
- Role-Based Access Control (RBAC): Users only have access to data and features appropriate to their role
- Single Sign-On (SSO): Support for enterprise identity providers
- Multi-Factor Authentication: Available for enhanced account security
- Session Management: Automatic session timeout and secure token handling
- Audit Logging: Comprehensive logs of user actions for accountability
Backup & Disaster Recovery
- Regular automated backups
- Geographically distributed backup storage
- Point-in-time recovery capability
- Documented disaster recovery procedures
- Regular recovery testing
Security Documentation
We are committed to transparency about our security practices. Upon request, we can provide:
- Completed security questionnaires (SIG, HECVAT, custom formats)
- Architecture and data flow documentation
- Privacy and security policy documentation
- Incident response procedures
Contact security@truvana.com to request documentation for your vendor review process.
Third-Party Security
We carefully vet all third-party vendors and require them to meet our security standards. See our Sub-processor List for details on the vendors we use.
Security Testing
- Regular third-party security assessments
- Ongoing vulnerability management
- Secure development practices
- Dependency security monitoring
Incident Response
We maintain a documented incident response plan and will notify affected customers within 72 hours of discovering a security incident that may impact their data, as required by law and our Data Processing Agreement.
Security Contact
To report a security vulnerability or ask security questions:
Security Team
Email: security@truvana.com
For responsible disclosure guidelines, see our security.txt file.