Trust Center
How we handle your data, in the open
Everything your Security, IT, and Procurement teams need for a first-pass vendor review — sub-processors, data agreements, and compliance status.
Sub-processor registry
| Sub-processor | Purpose | Region |
|---|---|---|
| Clerk | Authentication and user management | US / EU |
| Stripe | Payment processing | US |
| Railway | Infrastructure hosting (API, Kafka, Redis) | US |
| Vercel | Frontend hosting and CDN | Global |
| Cloudflare | DDoS protection and CDN | Global |
| Resend | Transactional email | US |
| PostHog | Product analytics (tenant-level, no PII) | US |
We give 30-day advance notice for sub-processor changes, consistent with GDPR Art. 28(2). To receive notices, email legal@trulayer.ai.
Data Processing Agreement
A Data Processing Agreement (DPA) is available on request for all paid plans. Send the countersigned copy back from your legal address and we will execute it within two business days.
Request a DPASupply-chain integrity
Every release artefact we ship — container images, SDK packages, and deployable binaries — is signed and attested so your security team can verify provenance end-to-end.
- cosign signatures: all container images and release tarballs are signed with cosign using keyless OIDC identities; signatures can be verified against our public Rekor transparency log entries.
- CycloneDX SBOMs: a CycloneDX 1.5 SBOM is generated per release and attached to each GitHub release plus every container image.
- SLSA Build Level 3: our CI pipeline produces SLSA provenance at Build Level 3 or higher — hermetic, reproducible builds on a non-falsifiable hosted runner.
SOC 2 Type I report
In progress, target Q3 2026. Contact sales@trulayer.ai for timeline updates and observation-window status.
Read the full security posture