Privacy & Compliance
User consent, secure transport, compliance materials, and where to request documentation.
Webhook Security
Signature verification, delivery timing, retries, and webhook allowlisting guidance.
mTLS
Mutual TLS for Truv APIs and webhook delivery, including certificate setup paths.
Trust Center
Current security documents, reports, and questionnaires.
Webhook signature verification
Every webhook request from Truv includes anX-WEBHOOK-SIGN header. Validate that signature against the raw request body with your Access Secret before you process the event.
Use Webhook Security for verification examples, retry behavior, IP allowlisting, and handling guidance.
mTLS API endpoints
Mutual TLS (mTLS) enhances standard TLS by requiring both the client and the server to authenticate each other using digital certificates. This ensures only trusted parties can establish communication with Truv’s API.| Environment | Endpoint |
|---|---|
| Production | api-mtls.truv.com |
| Sandbox | api-sandbox-mtls.truv.com |
Set up mTLS for APIs
Generate a private key and CSR
Create a Certificate Signing Request using X.509v3 format with RSA or ECDSA keys and SHA256:
Configure your firewall
Allow Truv’s IP addresses through your firewall:Production:
35.167.32.174, 35.165.53.192, 54.71.147.242Sandbox: 44.235.37.104, 35.83.220.165, 52.38.209.190mTLS for webhooks
Truv supports mTLS for webhook communication. The following authentication approaches are available:Truv’s signed certificate
Configure the public certificate frommtls-prod.truv.com on your webhook endpoint to verify that requests originate from Truv.
Client-signed certificate
Truv submits a CSR and you issue a signed certificate. Truv then uses your certificate when delivering webhooks to your endpoint.OAuth 2.0 (optional)
Truv supports OAuth 2.0 authentication when invoking webhooks. Truv obtains access tokens for secure webhook delivery. Contact Truv Support to configure OAuth settings.Custom headers
You can configure custom headers (Client ID and Client Secret) on webhook deliveries for an additional authentication layer. Work with Truv Support to configure. For the source IP addresses Truv uses to deliver webhooks, see Webhook Security.Privacy and compliance
Truv’s privacy and compliance documentation centers on three practical areas:- explicit end-user consent before data access
- secure transport for all API communication
- current audit reports, questionnaires, and supporting materials through the Trust Center and compliance contacts
User consent
Access to end-user data requires explicit user consent through the Truv connection flow. Users authenticate directly with their provider and authorize access to the requested data before Truv returns verification results. Use your implementation to make that consent flow clear to end users and request only the data required for your use case.Secure transport
All API traffic must use HTTPS with TLS 1.2 or higher. For integrations with stricter authentication requirements, Truv also supports mTLS for public API traffic and webhook delivery.Data handling expectations
Use the same controls you would apply to other sensitive verification data:- keep API credentials in environment variables or a secrets manager
- restrict access to verification data to the systems and roles that need it
- define retention windows that match your business and regulatory requirements
- log access to sensitive data and security-relevant events for auditability
Compliance highlights
- SOC 2 Type II certified with continuous monitoring
- Regular internal and external network penetration testing and third-party code reviews
- Role-based access controls enforced at each layer of infrastructure
- Multi-factor authentication required for access to Truv infrastructure
- All application and user access logs stored centrally and monitored
- Sensitive data encrypted with an additional layer beyond standard TLS