Trust & security
Your customers’ conversations are your most sensitive data. We protect them like it.
Tromml captures what your frontline hears in the field. Pricing pressure, competitor moves, accounts going quiet. That’s some of the most sensitive intelligence your business has. Here is how we keep it safe, and where our SOC 2 program stands.
Where we are
The controls are running. The audit is the last step.
Our security policies are approved and the controls on this page run in production today. Our SOC 2 Type I program formalizes that work for an independent auditor, and we’re booked for Q4 2026. The protection is already in place; the audit puts a signature on it.
- 01Done
Policies approved
14 policies, version 1.0, approved July 2026.
- 02Done
Controls in operation
The controls on this page run in production today.
- 03Q4 2026
Type I audit
Independent SOC 2 Type I examination.
The Type I report lands in Q4 2026. We’ll post it here the day it does.
How we protect your data
What actually guards your data.
Six control areas, drawn straight from our approved policies, each running in production today.
Encryption
Encrypted in transit and at rest. TLS 1.2+ on every connection; AES-256 on every database, file store, and backup. Encryption keys are held in Azure Key Vault.
Access control
Least privilege by default. Access to production is role-based and granted only where the job requires it. Multi-factor authentication is enforced across all administrative access.
Logging & monitoring
Activity across our systems is logged and monitored, so unusual access is visible and reviewable, not lost in the noise.
Change management
Code reaches production through peer review and a controlled release process. Nothing ships straight from someone's laptop.
Backups & recovery
Customer data is backed up on a regular schedule and encrypted, with restore testing to confirm recovery works.
Vendor management
Every subprocessor that touches customer data goes through security review, with data-processing terms on file before it handles anything of yours.
The line we don’t cross
Your conversations never become someone else’s training data.
Tromml runs on AI models we’ve selected and configured. But your customer conversations are never used to train public models, never sold, and never shared beyond the subprocessors that run the service. SecureAI Chat is a private workspace. What your frontline says in the field stays yours.
Governance
Fourteen policies. Approved, owned, and reviewed.
Security at Tromml is a program, not a page. It’s owned by our CTO and reviewed at least once a year. These are the policies that govern how we build, operate, and respond.
- Information Security Policy
- Access Control Policy
- Encryption Policy
- Logging & Monitoring Policy
- Change Management Policy
- Secure SDLC Policy
- Risk Management Policy
- Data Classification Policy
- Incident Response Plan
- Vendor / Third-Party Management Policy
- Backup Policy
- Business Continuity & Disaster Recovery Policy
- Acceptable Use Policy
- HR / Personnel Security Policy
Approved v1.0 · July 2026 · next scheduled review July 2027.
Where your data lives
Hosted in Microsoft Azure. Here’s every subprocessor.
Your data is hosted in Microsoft Azure data centers in the United States and Canada, with our application database on Supabase. We rely on a short list of subprocessors to run the service. Here are the ones that handle customer data.
| Subprocessor | Purpose | Region |
|---|---|---|
| Microsoft Azure | Cloud hosting, storage, and key management | US East · Canada Central |
| Supabase | Application database | United States |
| Azure OpenAI | AI inference. Not trained on your data. | United States |
| AWS Bedrock | AI inference. Not trained on your data. | United States |
| GitHub | Source code and build pipeline | United States |
A full, current subprocessor list is available on request.
On the way to the audit
What the audit adds on top.
The controls are in operation. A Type I audit puts an independent examiner behind them. Ahead of Q4, we’re:
- Documenting each control against the SOC 2 criteria
- Collecting the evidence an auditor will sample
- Gathering security reports for every subprocessor on file
- Booking the independent Type I examination
None of it changes how your data is protected today. It changes who has signed off on it.
Responsible disclosure
Found something? Tell us.
If you believe you’ve found a security vulnerability in Tromml, email security@tromml.com. We’ll acknowledge you, investigate, and keep you posted. We don’t pursue researchers acting in good faith.
See it for yourself
Security you can question, on a product you can try.
Last updated: 07/09/2026
