Security Policy

effective June 2022

At Treno we understand that our customers expect us to protect their data with the highest standards and are committed to providing them with a highly secure and reliable environment.

Access Control

We know the data you upload to Treno is private and confidential. We regularly conduct user access reviews to ensure appropriate permissions are in place, in accordance with the least privilege principle. Employees have their access rights promptly modified upon change in employment.

Application Security

Treno implements a security-oriented design in multiple layers, one of which is the application layer. The Treno application is developed by Treno full-time employees according to the OWASP Top 10 framework and all code is peer reviewed prior to deployment to production.

Our controlled CI/CD process includes static code analysis, vulnerability assessment, end-to-end testing, unit testing which addresses authorization aspects and more. Additionally, Treno developers go through periodic security training to keep them up-to-date with secure development best practices.

Availability

Since launch, Treno has consistently met or exceeded a 99.9% uptime, ensuring customers can access our products and services without interruption.

CCPA Compliance

Treno does not sell its customers’ or users’ personal information. Where a business subject to the CCPA has entered into a services or subscription agreement with Treno, Treno will also act as a service provider to that business. Specifically, Treno will process such customers’ personal information only for the purposes set forth in the applicable agreement, and will cooperate with customers to fulfill deletion or access requests. Additional information about what data we collect and how we use it can be found in our privacy policy here: https://treno.io/privacy

Corporate Security Standards

Treno ensures that security policies are maintained, communicated, and followed. All contractors and employees are required to pass a background check and sign confidentiality agreements, complete security training as part of the entry into the organization. Additionally, employees receive routine security awareness training and confirm adherence to Company security policies

Data Security

All Treno data is covered by the highest security standards. Any data as well as any connections you make while accessing Treno are completely secure. Sensitive data is encrypted at rest and analytics are encrypted in transit with either TLS or HTTPS. Additionally, all connections with the Treno app are encrypted using SSL

Treno encrypts all data both in transit and at rest:

Traffic is encrypted using TLS 1.3 with a modern cipher suite, supporting TLS 1.2 at minimum
User data is encrypted at rest across our infrastructure using AES-256 or better
Credentials are hashed and salted using a modern hash function

Disaster Recovery and Backups

Treno is committed to providing continuous and uninterrupted service to all its customers. We consistently backup user data every six hours. All backups are encrypted, where they are retained for 20 days.

Our Disaster Recovery Plan is tested at least once a year to assess its effectiveness and to keep employees aligned with their responsibilities in case of a service interruption.

GDPR Compliance

Treno has established a comprehensive GDPR compliance program and is committed to partnering with its customers and vendors on GDPR compliance efforts. Some significant steps Treno has taken to align its practices are included in our Data Processing Addendum, which can be reviewed here: https://treno.io/data-processing-addendum. Additional information about what data we collect and how we use it can be found in our privacy policy here: https://treno.io/privacy

Hosting Infrastructure

Our systems are hosted on a Google Cloud Platform region, with plans to implement in multiple GCP regions soon. This allows us to provide a reliable service and keeps your data available whenever you need it. We have also established a disaster recovery site on GCP as well.

These Google Cloud Platform data centers employ leading physical and environmental security measures, resulting in highly resilient infrastructure. More information about their security practices can be found here: https://cloud.google.com/security/

Hosting Location

Treno hosts its customer data in the Google Cloud Platform (GCP) data centers in the United States.

Hosting Options - EU

If a new EU customer wishes to have their data processed within the EU it must be requested BEFORE onboarding. If approved by Treno, we will create a unique account for that customer. The data connected to that account will be stored in an EU Google Cloud Platform data center in Germany and never backed up or replicated to a server elsewhere.

Infrastructure Security

Another layer of security is the infrastructure. As stated, Treno is hosted on GCP and soon will be across multiple GCP regions for redundancy. Furthermore, our infrastructure is protected using multiple layers of defense mechanisms, including:

Firewalls for enforcing IP whitelisting and access through permitted ports only to network resources
A web application firewall (WAF) for content-based dynamic attack blocking
DDoS mitigation and rate limiting
NIDS sensors for early attack detection
Advanced routing configuration
Comprehensive logging of network traffic, both internal and edge

Least Privilege Access

Only a limited set of employees have access to the data stored in our databases. There are strict security policies for employee access, all security events are logged and monitored, and our authentication methods and data are strictly regulated. Access to production data requires multi-factor authentication and a one-time password.

We limit access to customer data to employees with a job-related need, and require all these staff members to sign a confidentiality agreement. Accessing customer data is only done on an as-needed basis, and only when approved by the customer (i.e. as part of a support incident) via a support token, or under authorization from senior management and security for the purposes of providing support, maintenance, or improving service quality.

Physical Security

Treno is a cloud-based company, with no part of our infrastructure retained on-premise. We maintain physical security in our physical office location including access control by personal cards, CCTV and alarm systems.

Treno’s data centers are hosted on Google Cloud Platform infrastructure, where industry-leading physical security measures are employed.

Privacy

Protecting our customers’ data privacy is always a top priority for Treno. We understand the importance of protecting the critical business and personal information entrusted to us. Data access and authorizations are provided on a need-to-know basis, and based on the principle of least privilege. Treno’s customers may configure a data retention duration. Customer data is purged from Treno’s systems subsequent to contract termination. Details on our privacy policy can be found here: https://treno.io/privacy

Secure Development Process

At Treno, code development is done through a documented SDLC process which includes guidance on how code is tested, reviewed, and promoted to production. We use a multi-reviewed, industry-leading process across the entire lifecycle which includes – Code peer reviews before it is committed to the master code branch of the Treno application, functional and unit testing using automated tools that are efficient and secure and application security testing, license management testing and dependency scanning.

Security Audits and Penetration Tests

Independent third-party assessments are crucial in order to get an accurate, unbiased understanding of your security posture. Treno conducts penetration tests on an annual basis both in the application and in the infrastructure level using well-known, independent auditors. Results of these third-party performed quarterly tests are available upon request.

Additionally, Treno performs internal security audits and penetration rest on a monthly basis.

Security Awareness and Training

Treno understands that its security is dependent on its employees. Therefore, all our employees undergo thorough information security awareness training during onboarding. Further security training is provided on a bi-annual basis. Additionally, all employees must sign our Acceptable Use Policy.

SOC2 Type II Compliance

Treno has achieved a SOC 2 Type II attestation from a certified auditor with no exceptions in the final report. We work with an AICPA certified audit firm to evaluate our information security program and controls on an annual basis and continuously monitor those controls using the Treno platform. A copy of our auditors report is available upon request.

Additional Information

If you have any security related questions and concerns, please contact your sales representative or contact us at [email protected]

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.