Security
Enterprise-grade posture, built in from day one
We design TruLayer so production AI traffic can run through it without widening your attack surface. Here is how we protect your data and what we are working toward next.
SOC 2 roadmap
SOC 2 Type I
Target: end of Q3 2026
Auditor engaged; observation window underway. Budget allocated (~$30K).
SOC 2 Type II
Target: ~12 months after Type I
Rolling audit once Type I report is issued.
Need the current Type I timeline for a vendor review? Email sales@trulayer.ai.
Data protection
Encryption in transit
All customer traffic is served over TLS 1.2 or newer. HSTS is enabled on public endpoints. Internal service-to-service traffic — including the Kafka ingest pipeline — runs over mutually authenticated TLS.
Encryption at rest
Span payloads, eval records, and metadata are encrypted at rest using AES-GCM. Bring-your-own eval keys are sealed with KMS envelope encryption so the plaintext data-encryption key never lives outside the KMS boundary.
API key hygiene
API keys are stored as HMAC digests — we never retain the plaintext key. Rotate or revoke any key from the dashboard.
Client-side redaction
The TruLayer SDK redacts secrets and configurable PII fields before spans leave your process, so sensitive values never cross our ingress.
Access control (RBAC)
| Role | Scope |
|---|---|
| Owner | Full control over the workspace — billing, members, API keys, data retention, and destructive actions. |
| Member | Create projects, read and write traces and evals, manage alerts and remediations. No billing or member-management access. |
| Viewer | Read-only access to traces, evals, and dashboards. Cannot mutate data, configuration, or workspace settings. |
Responsible disclosure
If you believe you have found a security vulnerability in any TruLayer product, please report it privately. Do not test for vulnerabilities in a way that degrades service for other customers, access data that is not yours, or run automated scanners without coordination.
- Acknowledgement: we aim to respond within 2 business days.
- Fix timelines: based on severity — critical issues are mitigated before a public fix lands.
- Safe harbor: good-faith reports made under this policy will not be pursued legally.