HomeGuidesAPI ReferenceChangelog
Get API Keys

Security

Storing identifiers

It’s critical to properly handle identifiers returned by Bridge and direct API endpoints.

Truv's identifiers let you associate API and Provider events with your requests, and will help our support team resolve your support issues faster.

❗️

Make sure access_token is never exposed on the client-side. You should store these tokens securely on the backend and associate them with users of your application.

🚧

User can create multiple access_token if they have accounts with multiple payroll providers.

Security overview

Truv’s SOC 2 Type II certification was performed by Dansa D’Arata Soucia LLP, facilitated by Vanta, and our compliance began May 1st, 2021. A copy of Truv ID’s SOC 2 Type II report can be requested under NDA.

On top of the standard practices, we use an additional layer of encryption in all of our systems for sensitive data and only allow access on a need-to-know basis.

We have strict procedures in place for who can gain access or be approved for access, and we log everything along the way. We can see who has access to what data and when, who approved the request, and what the outcome was. Except in exceptional cases where access is truly required, no one can access data. Data access is granted for 24 hours at a time and is revoked automatically.

Routine testing

  • Truv is SOC 2 Type II compliant and we use Vanta, a leading SOC 2 continuous monitoring and compliance software, to keep an eye on and track all of our controls
  • Truv regularly undergoes both internal and external network penetration tests as well as third-party code reviews

Access controls

  • Role-based access controls are enforced at each layer of infrastructure
  • Multi-factor authentication is required for access to Truv infrastructure
  • All application and user access logs are stored centrally and monitored