Successfully Completed SOC 2 Type II Audit for Year 2 | Truto

We've Successfully Completed Our SOC 2 Type II Audit for Year 2!

We are excited to share that we've successfully completed our SOC 2 Type II audit for the second consecutive year! This is a significant milestone that reflects our ongoing commitment to providing a secure and compliant platform for our customers.

Achieving SOC 2 Type II compliance isn't just about ticking a box—it's about ensuring that our processes, systems, and people are all focused on protecting your data. Over the past year, we've strengthened our controls, enhanced our infrastructure, and prioritized security in everything we do.

Truto Certifications and Attestations

Truto holds the following certifications and attestations:

SOC 2 Type II is an attestation - not a pass/fail certification - issued by an independent CPA firm after evaluating the design and operational effectiveness of our controls over a sustained observation period. Completing this for the second consecutive year means an independent auditor has verified that Truto's controls didn't just exist on paper - they operated effectively throughout the entire audit window.

ISO 27001 is the internationally recognized standard for information security management systems. It covers a broader organizational scope than SOC 2, including risk management processes, security policies, and continuous improvement practices. Holding both SOC 2 Type II and ISO 27001 means Truto satisfies the compliance requirements most frequently requested during enterprise procurement - whether the buyer is US-based (SOC 2) or international (ISO 27001).

Scope and Audit Details

Our SOC 2 Type II report covers the Trust Services Criteria for Security, Availability, and Confidentiality as defined by the AICPA. The audit evaluated Truto's unified API platform - the infrastructure, application layer, authentication systems, and operational processes that handle API requests on behalf of our customers.

Specifically, the audit scope includes:

• Infrastructure controls - encryption at rest and in transit (TLS 1.3), network segmentation, access management
• Application security - authentication handling (OAuth token storage, refresh cycles, API key management), authorization enforcement, audit logging
• Operational processes - incident response, change management, employee onboarding/offboarding, vendor management
• Availability - uptime monitoring, disaster recovery, capacity planning
• Confidentiality - data classification, access restrictions, credential isolation between customer environments

The Year 2 audit covered a 12-month observation window, during which the auditor tested whether each control operated consistently - not just whether it was designed correctly.

How to Request the SOC 2 Report

SOC 2 reports are restricted-distribution documents. They contain detailed control descriptions and test results intended for your security and compliance teams, not for public posting.

To request a copy of our current SOC 2 Type II report:

• Email: security@truto.one
• During evaluation: Ask your Truto account contact and we'll share it under NDA within one business day
• Compliance questionnaires: If you're sending a SIG, CAIQ, or custom security questionnaire, include the SOC 2 report request alongside it - we handle them together to speed up your review

For HIPAA BAAs, DPAs (GDPR), or other compliance documentation, reach out to the same address.

How Truto's Architecture Supports Audit Controls

This is where Truto's compliance story gets interesting - and different from most integration platforms.

Traditional unified API vendors run a sync-and-cache model: they pull data from third-party APIs on a schedule, store it on their servers, and serve it from their own database. This means your customers' sensitive data - PII, financial records, HR data - lives on a third party's infrastructure. During a security review, your buyer's InfoSec team has to audit not just you, but also your integration vendor as a sub-processor that stores their data.

Truto uses a pass-through architecture. API requests are proxied to the third-party provider in real time, transformed in memory using declarative JSONata mappings, and returned directly to you. Truto does not persist API response payloads to disk or database. The platform stores only the metadata it needs to function: OAuth tokens (encrypted at rest), integration configuration, and API request logs (configurable retention up to 180 days).

This architecture directly impacts your compliance posture in three ways:

1. Smaller sub-processor footprint. Because Truto doesn't store your customers' business data, the sub-processor risk conversation during vendor security reviews is dramatically simpler. There's no "shadow copy" of your customer's Salesforce contacts or BambooHR employee records sitting on a third party's servers.

2. Data residency is straightforward. Truto gives you the flexibility to store access tokens, API keys, and connection metadata in a region of your choice. For customers with strict data sovereignty requirements, Truto also supports VPC deployment - running the entire platform within your own cloud environment so that no data crosses network boundaries you don't control.

3. Audit evidence is clean. When your auditor asks "what data does your integration vendor store, for how long, and where?" - the answer is concise: encrypted credentials and request logs, configurable retention, customer-specified region. Compare that to explaining a full data warehouse of cached third-party API responses with unclear retention policies.

Customizable Unified APIs and Deployment Flexibility

A common question during enterprise evaluations is whether Truto can adapt to specific compliance and technical requirements. The short answer: yes, at multiple levels.

Customizable unified API mappings. Truto's override system lets you modify how the unified API behaves per environment or even per connected account - without any code changes or deployments. You can adjust response mappings, query translations, request body formatting, and pre/post-processing steps entirely through configuration. This means your team can adapt to customer-specific requirements (custom fields, non-standard endpoints, unique filter logic) without waiting on Truto to ship a code change.

Deployment options. Truto supports both cloud-hosted (multi-tenant) and VPC deployment models. For organizations that require data to remain within their own network perimeter - common in financial services, healthcare, and government - VPC deployment means the Truto platform runs inside your infrastructure. Your data never leaves your environment.

This combination - SOC 2 Type II and ISO 27001 attestations, a pass-through architecture that minimizes data exposure, customizable API behavior, and flexible deployment - is what allows Truto customers to pass enterprise security reviews in days rather than months.

What does this mean for our customers?

• Data Protection: Your sensitive data is handled with the utmost care, meeting rigorous security, availability, confidentiality, and privacy standards.

• Trust: You can continue to rely on us to maintain the highest levels of compliance in our operations.

• Continuous Improvement: Our commitment doesn't stop here. We will keep enhancing our security practices to ensure we stay ahead of evolving threats.

Completing the audit for two consecutive years demonstrates our dedication to delivering not only exceptional service but also peace of mind for our customers. Learn more about our security practices here: Security at Truto

A huge thanks to our team and our partners for their relentless efforts, and to our customers for placing their trust in us. Here's to another year of building secure, scalable solutions that empower your business!