> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truv.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> Overview of Truv security, privacy, compliance, webhook security, and mTLS

Truv supports security controls for regulated integrations, including webhook signature verification, mutual TLS (mTLS) for APIs and webhooks, and additional authentication options for webhook delivery.

<CardGroup cols={2}>
  <Card title="Privacy & Compliance" icon="shield-check" href="#privacy-and-compliance">
    User consent, secure transport, compliance materials, and where to request documentation.
  </Card>

  <Card title="Webhook Security" icon="webhook" href="/api-reference/webhooks#security">
    Signature verification, delivery timing, retries, and webhook allowlisting guidance.
  </Card>

  <Card title="mTLS" icon="shield-halved" href="#mtls-api-endpoints">
    Mutual TLS for Truv APIs and webhook delivery, including certificate setup paths.
  </Card>

  <Card title="Trust Center" icon="shield-check" href="https://trust.truv.com/">
    Current security documents, reports, and questionnaires.
  </Card>
</CardGroup>

***

## Webhook signature verification

Every webhook request from Truv includes an `X-WEBHOOK-SIGN` header. Validate that signature against the raw request body with your Access Secret before you process the event.

Use [Webhook Security](/api-reference/webhooks#security) for verification examples, retry behavior, IP allowlisting, and handling guidance.

***

## mTLS API endpoints

Mutual TLS (mTLS) enhances standard TLS by requiring both the client and the server to authenticate each other using digital certificates. This ensures only trusted parties can establish communication with Truv's API.

| Environment    | Endpoint                    |
| -------------- | --------------------------- |
| **Production** | `api-mtls.truv.com`         |
| **Sandbox**    | `api-sandbox-mtls.truv.com` |

***

## Set up mTLS for APIs

<Steps>
  <Step title="Generate a private key and CSR">
    Create a Certificate Signing Request using X.509v3 format with RSA or ECDSA keys and SHA256:

    ```
    CN: api-mtls.<your-name>.truv.com
    O:  Truv Inc
    L:  Miami
    ST: Florida
    C:  US
    ```
  </Step>

  <Step title="Submit your CSR to Truv">
    Truv will issue a signed certificate valid for one year.
  </Step>

  <Step title="Connect using your certificate">
    ```bash theme={null}
    curl --cert $CERT.pem --key $PRIVATE_KEY.key https://api-mtls.truv.com/v1/orders/
    ```
  </Step>

  <Step title="Configure your firewall">
    Allow Truv's IP addresses through your firewall:

    **Production:** `35.167.32.174`, `35.165.53.192`, `54.71.147.242`

    **Sandbox:** `44.235.37.104`, `35.83.220.165`, `52.38.209.190`
  </Step>

  <Step title="Contact Truv Support">
    Work with Truv Support to enable mTLS on your account.
  </Step>
</Steps>

***

## mTLS for webhooks

Truv supports mTLS for webhook communication. The following authentication approaches are available:

### Truv's signed certificate

Configure the public certificate from `mtls-prod.truv.com` on your webhook endpoint to verify that requests originate from Truv.

### Client-signed certificate

Truv submits a CSR and you issue a signed certificate. Truv then uses your certificate when delivering webhooks to your endpoint.

### OAuth 2.0 (optional)

Truv supports OAuth 2.0 authentication when invoking webhooks. Truv obtains access tokens for secure webhook delivery. Contact Truv Support to configure OAuth settings.

### Custom headers

You can configure custom headers (Client ID and Client Secret) on webhook deliveries for an additional authentication layer. Work with Truv Support to configure.

For the source IP addresses Truv uses to deliver webhooks, see [Webhook Security](/api-reference/webhooks#originating-ip-addresses).

***

## Privacy and compliance

Truv's privacy and compliance documentation centers on three practical areas:

* explicit end-user consent before data access
* secure transport for all API communication
* current audit reports, questionnaires, and supporting materials through the Trust Center and compliance contacts

### User consent

Access to end-user data requires explicit user consent through the Truv connection flow. Users authenticate directly with their provider and authorize access to the requested data before Truv returns verification results.

Use your implementation to make that consent flow clear to end users and request only the data required for your use case.

### Secure transport

All API traffic must use HTTPS with TLS 1.2 or higher.

For integrations with stricter authentication requirements, Truv also supports [mTLS](#mtls-api-endpoints) for public API traffic and webhook delivery.

### Data handling expectations

Use the same controls you would apply to other sensitive verification data:

* keep API credentials in environment variables or a secrets manager
* restrict access to verification data to the systems and roles that need it
* define retention windows that match your business and regulatory requirements
* log access to sensitive data and security-relevant events for auditability

Implementation details for credential handling and webhook verification live in [Webhook Security](/api-reference/webhooks#security).

### Compliance highlights

* SOC 2 Type II certified with continuous monitoring
* Regular internal and external network penetration testing and third-party code reviews
* Role-based access controls enforced at each layer of infrastructure
* Multi-factor authentication required for access to Truv infrastructure
* All application and user access logs stored centrally and monitored
* Sensitive data encrypted with an additional layer beyond standard TLS

### Compliance materials

For current security documents, questionnaires, and supporting materials, use the [Truv Trust Center](https://trust.truv.com/) or contact the Truv compliance team at [compliance@truv.com](mailto:compliance@truv.com).

***

## Contact

<CardGroup cols={2}>
  <Card title="Security Team" icon="shield" href="mailto:security@truv.com">
    [security@truv.com](mailto:security@truv.com)
  </Card>

  <Card title="Compliance Requests" icon="file-lines" href="mailto:compliance@truv.com">
    [compliance@truv.com](mailto:compliance@truv.com)
  </Card>
</CardGroup>
