Treblle is a software company that has implemented policies and procedures to keep user and company data safe. We are in the process of getting SOC 2 Type 2 certification. We have a rigorous assessment process to ensure infrastructure, sub-processors, third-party vendors, and employees have strict security policies in place. We also have a detailed privacy policy.
While no environment can guarantee absolute security, Treblle makes it easy to mask sensitive data, ensure API security, as well as scan for vulnerabilities with our compliance feature.
We are certified and in compliance with:
Authentication
Treblle offers an identity service that requires a username and strong password and we strongly encourage the use of our optional 2FA feature. In addition, users can chose to use Single Sign-On with their IdP or social identity provider (i.e., Google or GitHub). Treblle provides guidance for new users when choosing a password.
Roles/Tokens/Keys
We have a layered user access control approach. All projects are inaccessible except by the owners with verified Treblle accounts requiring a username and password. Additional access is granted to users who have accepted a secure invitation sent by a project owner. Specific data can be shared externally through links that expire. In addition, each user has a unique API key to configure SDK packages.
Encryption
Treblle utilizes data encryption at rest of both production data and backups using 256-bit AES encryption. Encryption keys are stored in AWS Key Management. Data is stored only in the cloud in highly compliant AWS and SingleStore data centers which provide fault-tolerance and strong access controls.
In addition, user-specified data can be masked at the SDK level and will be sent only as hashed data to our systems.
SSL
Treblle utilizes SSL using Transport Layer Security (TLS) 1.2 or higher with the latest SHA-256 algorithm for encrypting all network traffic. Treblle's SSL implementation received an "A" on Qualsys' SSL Labs. All of our open-source SDKs are configured to use HTTPS. The treblle.com domain also has HSTS enabled.
Personal Data
Personal data is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. We store your Personal Data in countries including the USA on secure systems described above. We comply with applicable data protection laws when transferring Your Personal Data.
Backups
Treblle retains user data only for as long as necessary for the purposes set out in our Privacy Policy. We will retain and use personal user data to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our legal agreements and policies.
Infrastructure
Treblle continuously monitors its infrastructure and access to its systems. Automated vulnerability scans and penetration testing are regularly performed in our AWS and SingleStore instances. Employees and management are granted access to production infrastructure only when required to complete work or make changes that fall within approved roadmaps, product changes, or scope of responsibilities. Access to production and development systems is logged.
Payments
Treblle does not store or collect payment card details. That information is provided directly to our third-party payment processor, whose use of personal information is governed by their Privacy Policy. We only utilize payment processors that are PCI-DSS compliant.
Software & Sub-Processors
All sub-processors and third-party vendors must be vetted by the relevant Treblle leadership. Any processor or vendor that Treblle engages with, where user data has a potential impact, must have robust compliance and security policies, including but not limited to GDPR, CCPA, SOC 2, PCI-DSS, ISO, etc. All critical accounts and software systems used by employees require Single Sign-On (when available) with a strict 2FA-enabled policy (when available).
Login Data and Employee Devices
Treblle employees are required to use the company-provided password manager. Employees are never allowed to save passwords locally or share individual login information. Devices must be password protected and have a short time-out period before a login screen appears. Employees cannot leave devices unlocked or applications logged in when not in direct possession. The device drive is encrypted by default.
Reporting an Issue
If you believe you’ve discovered a bug or security issue, please get in touch at support@treblle.com and we will get back to you within 72 hours. We request that you not publicly disclose the issue until we have had a chance to review it and respond.
Incident Response
Treblle has incident response procedures to help mitigate cyber risks around service availability, integrity, security, privacy, and confidentiality. As a result, we train our teams to:
Promptly respond to alerts of potential incidents
Analyze and assess the severity of potential incidents
Execute mitigation and containment measures
Communicate with relevant internal and external stakeholders. This includes notifying affected customers and meeting contractual obligations around breach or incident notifications.
Gather and preserve forensic evidence for investigative efforts
Conduct and document a postmortem while developing a permanent triage plan
We make our system status publicly available at https://status.treblle.com/
