Overview
Triform is committed to meeting industry standards and regulatory requirements to protect your data and ensure service reliability.Current compliance status
GDPR (General Data Protection Regulation)
Status: ✅ Compliant Scope: All users in the European Union Key practices:- Lawful basis for processing (contract, consent, legitimate interest)
- Data minimization (collect only what’s needed)
- Purpose limitation (use data only for stated purposes)
- Storage limitation (retain only as long as necessary)
- Security measures (encryption, access control)
- Data subject rights (access, deletion, portability)
- Cross-border transfer safeguards (Standard Contractual Clauses)
- Right to access — Request a copy of your data
- Right to rectification — Correct inaccurate data
- Right to erasure — “Right to be forgotten”
- Right to portability — Export your data
- Right to object — Object to certain processing
- Right to restrict — Limit how we use your data
CCPA (California Consumer Privacy Act)
Status: ✅ Compliant Scope: California residents Key practices:- Disclosure of data collection and use
- Opt-out of data “sales” (we don’t sell data)
- Do Not Sell My Personal Information
- Equal service regardless of privacy choices
- Access and deletion rights
- Right to know — What data we collect and how it’s used
- Right to delete — Request deletion of your data
- Right to opt-out — Opt out of “sales” (not applicable—we don’t sell)
- Right to non-discrimination — Equal service regardless
SOC 2 Type II
Status: 🟡 Planned (2026) Scope: Trust Services Criteria Framework:- Security — Protection against unauthorized access
- Availability — Service uptime and reliability
- Processing integrity — Complete, accurate, timely processing
- Confidentiality — Protection of confidential information
- Privacy — Collection, use, retention, disclosure aligned with commitments
- Independent audit of our security controls
- Verification of implementation over time (6-12 months)
- Report available to customers upon request (when complete)
ISO 27001
Status: 🟡 Planned (2026) Scope: Information Security Management System (ISMS) Framework:- Risk assessment and treatment
- Security policies and procedures
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operations security
- Communications security
- Supplier relationships
- Incident management
- Business continuity
- Compliance
- International standard for information security
- Comprehensive security management
- Regular audits and continuous improvement
Data protection measures
Technical controls
Encryption:- AES-256 at rest
- TLS 1.2+ in transit
- Encrypted backups
- Role-based access (RBAC)
- Session management
- IP allowlisting (Enterprise)
- Firewalls and network segmentation
- DDoS protection
- Intrusion detection
- Vulnerability scanning
- Sandboxed environments
- Resource limits
- Dependency scanning
- Static analysis
Organizational controls
Policies:- Information security policy
- Data retention policy
- Incident response plan
- Business continuity plan
- Security questionnaires
- Contract reviews
- Regular assessments
- Data centers with 24/7 security
- Biometric access controls
- Video surveillance
- Environmental controls
Sub-processors
We use trusted third-party services:Infrastructure
Scaleway- Service: Cloud infrastructure
- Data processed: All customer data
- Location: France, EU/APAC
- Compliance: SOC 2, ISO 27001, GDPR, many others
- DPA: Standard Contractual Clauses
- Service: Inference
- Data processed: Data sent through Agents
- Location: Sweden
- Compliance: SOC 2, ISO 27001, GDPR
- DPA: Standard Contractual Clauses
Payment processing
Polar- Service: Payment processing, Record of Merchant
- Data processed: Payment methods, billing info
- Location: Sweden
- Compliance: PCI DSS Level 1, SOC 2, ISO 27001, GDPR
- DPA: Standard Contractual Clauses
Data Processing Agreement (DPA)
For GDPR and other regulations, we offer a Data Processing Agreement. What’s included:- Roles and responsibilities (controller vs. processor)
- Data processing terms
- Security measures
- Sub-processor list
- Data breach notification procedures
- Audit rights
- Data deletion procedures
- Standard Contractual Clauses (for EU transfers)
- Email compliance@triform.ai
- Provide Organization name and contact
- We’ll send DPA for review
- Both parties sign
- DPA effective upon execution
Audits and certifications
Internal audits
- Quarterly security reviews
- Annual risk assessments
- Continuous penetration testing
- Code security reviews
- Access reviews
External audits
- SOC 2 audit (planned)
- ISO 27001 (planned)
- Penetration tests (annual)
- Third-party security assessments
Bug bounty program
Status: Coming soon (2026) Scope: Responsible disclosure program Details: Will be announced on our security pageRegulatory response
Data breach notification
EU (GDPR): Within 72 hours to supervisory authority, without undue delay to affected individuals California (CCPA): Without unreasonable delay Other jurisdictions: Per applicable law Our commitment:- Investigate thoroughly
- Notify promptly
- Provide clear information
- Assist with mitigation
Industry-specific guidance
Healthcare
If you’re in healthcare:- Use de-identified or anonymized data
- Implement additional access controls
- Document your compliance approach
Financial services
If you’re in finance:- Use encryption (automatic)
- Enable audit logging (automatic)
- Implement access reviews
- Document your data flows
Education
If you’re in education:- Minimize student data collection
- Use access controls (automatic)
- Review who has access regularly
- Implement data retention policies
Government
If you’re in government:- Document security practices
- Consider on-premises options (contact sales)
Requesting compliance documentation
What’s available:- Security whitepaper
- DPA (Data Processing Agreement)
- Sub-processor list
- SOC 2 report (when complete)
- Custom security questionnaires
- Email compliance@triform.ai
- Specify what you need
- Provide Organization name
- Include your contact information
Attestations
We can provide attestations for:- Data encryption practices
- Access control measures
- Backup and recovery procedures
- Incident response capabilities
- Business continuity planning
FAQs
Q: Where is my data stored?A: EU by default. EU and APAC options for Enterprise. Q: Do you sell my data?
A: No, we never sell customer data. Q: Do you support on-premises deployment?
A: Contact sales for availability.
Contact
Compliance inquiries: compliance@triform.aiPrivacy questions: privacy@triform.ai
Security concerns: security@triform.ai
DPO (Data Protection Officer): dpo@triform.ai Response time: 5 business days for compliance requests