Security Policy

Truee Inc. is committed to protecting the confidentiality, integrity, and availability of all data on the Platform. We apply a defence-in-depth approach — multiple overlapping security controls so that no single failure compromises the whole system.

Our security programme covers:

• –Protection of user account credentials and personal data.
• –Integrity of Truee Profile data distributed to AI consumers.
• –Resilience of the API and platform infrastructure against attacks.
• –Rapid detection of and response to security incidents.
• –Responsible handling of vulnerability reports from the community.

2.1 How It Works

• –Each Truee Profile is serialised to a canonical JSON-LD document and hashed using a cryptographically secure algorithm.
• –The hash is signed with Truee's private signing key. The corresponding public key is published at a well-known endpoint so that any consumer can independently verify the signature.
• –The signature includes a timestamp so that consumers can detect stale or replayed records.
• –Any modification to a signed record — even a single character — invalidates the signature, alerting AI systems to potential tampering or injection.

2.2 Key Management

• –Signing keys are generated and stored in a Hardware Security Module (HSM) or equivalent managed key service.
• –Private keys are never exposed outside the signing service and are not accessible to Truee application developers.
• –Keys are rotated on a scheduled basis; historical public keys remain published to allow verification of older records during transition.

3.1 Encryption in Transit

• –All communication between clients and the Truee Platform is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints and use HSTS headers to prevent downgrade attacks.
• –Weak cipher suites are disabled. We target a minimum A rating on standard TLS assessment tools.

3.2 Encryption at Rest

• –All databases storing personal or profile data are encrypted at rest using AES-256 or equivalent.
• –Backups are encrypted and stored in geographically separate locations.

3.3 Password Security

• –User passwords are hashed using a modern, slow password-hashing algorithm (e.g., bcrypt or Argon2) with a unique salt per user.
• –Plaintext passwords are never stored, logged, or transmitted.

3.4 Payment Data

• –Card numbers and sensitive payment credentials are handled exclusively by our PCI-DSS compliant payment processors (Stripe, Paystack). Truee does not transmit, store, or process raw card data on its servers.

4.1 Principle of Least Privilege

Internal staff are granted only the minimum permissions necessary to perform their role. Access to production systems and customer data is restricted, audited, and reviewed quarterly.

4.2 Multi-Factor Authentication

Multi-factor authentication (MFA) is required for all internal staff accessing production systems. We strongly encourage — and in future plan to require — MFA for user accounts managing Truee Profiles.

4.3 Role-Based Access

The Platform enforces role-based access control (RBAC). Dashboard users can only access their own Truee Profile. Admin capabilities are isolated from standard user flows.

4.4 Session Management

• –Authentication tokens are short-lived and refreshed securely.
• –Sessions are invalidated on logout and after prolonged inactivity.
• –Concurrent session limits are enforced per account.

5.1 Authentication

All Truee API endpoints require a valid API key. Keys are issued per account, scoped to specific permissions, and can be revoked at any time from the dashboard.

5.2 Rate Limiting

Rate limits are enforced per API key and per IP address to protect against abuse, denial-of-service, and credential stuffing. Clients that exceed limits receive a 429 response with a Retry-After header.

5.3 Input Validation

All API inputs are validated and sanitised server-side. We apply strict schema validation to prevent injection attacks and malformed data from entering the platform.

5.4 CORS & Content Security

• –CORS policies restrict which origins can make cross-origin API requests.
• –Appropriate Content-Security-Policy headers are served with all web responses.
• –OWASP Top 10 mitigations are applied throughout the application stack.

5.5 API Logging & Monitoring

All API requests are logged with timestamp, endpoint, response code, and API key identifier. Logs are monitored in real time for anomalous patterns, and alerts are routed to the on-call security team.

6.1 Cloud & Hosting

Truee's infrastructure runs on enterprise-grade cloud providers that maintain ISO 27001, SOC 2, and/or equivalent certifications. We operate within isolated network environments with private subnets, firewalls, and DDoS mitigation enabled.

6.2 Dependency Management

• –Third-party dependencies are pinned and reviewed before adoption.
• –Automated tooling scans for known vulnerabilities in dependencies (CVE monitoring).
• –Critical patches are applied within 24 hours of disclosure; others within a risk-based SLA.

6.3 Backups & Availability

• –Profile data is backed up daily and replicated across availability zones.
• –Recovery point objective (RPO) and recovery time objective (RTO) targets are reviewed annually.
• –Scheduled maintenance is communicated in advance via the status page.

7.1 Detection

We use automated monitoring, alerting, and anomaly detection to identify potential security incidents 24/7. Internal security events are triaged by our on-call team within defined response windows.

7.2 Notification

In the event of a data breach that affects your personal data, we will notify affected users and relevant supervisory authorities within the timeframes required by applicable law (72 hours under GDPR where required). Notifications will include the nature of the breach, data affected, likely consequences, and steps we are taking.

7.3 Post-Incident Review

After each significant incident we conduct a root-cause analysis and implement remediation measures to prevent recurrence. Lessons learned are incorporated into our ongoing security programme.

8.1 How to Report

Email your findings to: security@usetruee.com

Please include in your report:

• –A clear description of the vulnerability and its potential impact.
• –Steps to reproduce the issue (proof-of-concept if possible).
• –The affected component, URL, or endpoint.
• –Your contact information for follow-up.

8.2 Our Commitments

• –We will acknowledge your report within 3 business days.
• –We will provide a status update within 10 business days.
• –We will not pursue legal action against researchers who act in good faith and follow this policy.
• –We will credit you in our security acknowledgements (with your permission) when a valid issue is resolved.

8.3 Out-of-Scope

• –Denial-of-service attacks against production infrastructure.
• –Social engineering or phishing of Truee staff.
• –Physical security attacks.
• –Vulnerabilities in third-party services not controlled by Truee.
• –Reports generated by automated scanners without a demonstrated impact.

8.4 Safe Harbour

We will not take legal action against security researchers who: discover vulnerabilities without exploiting them beyond what is necessary to demonstrate the issue, report findings to us promptly and privately, and do not access, modify, or exfiltrate user data beyond what is minimally necessary for the proof of concept.

• –NDPA / NDPR — our data handling practices comply with the Nigeria Data Protection Act 2023 and Nigeria Data Protection Regulation as described in our Privacy Policy.
• –GDPR / UK GDPR — our data handling practices are aligned with European data protection requirements for users in the EEA and UK, as described in our Privacy Policy.
• –CCPA — California Consumer Privacy Act rights are honoured for California residents.
• –PCI-DSS — payment card data is handled exclusively by PCI-DSS compliant processors.
• –Penetration testing — we conduct or commission penetration tests on a regular basis and remediate identified findings.
• –Security reviews — significant platform changes undergo a security review before deployment.

This Security Policy applies to the Truee Platform including usetruee.com and associated APIs. It does not apply to:

• –Third-party services linked from the Platform (e.g., external documentation, payment processors). Their security practices are governed by their own policies.
• –AI partner networks that consume profile data via the API. Truee provides cryptographically-signed data; how partners store or use that data is subject to their own security practices.