Compliance

Documentation Index

Fetch the complete documentation index at: https://docs.triform.ai/llms.txt

Use this file to discover all available pages before exploring further.

​

Overview

Triform is committed to meeting industry standards and regulatory requirements to protect your data and ensure service reliability.

​

Current compliance status

​

GDPR (General Data Protection Regulation)

Status: ✅ Compliant Scope: All users in the European Union Key practices:

• Lawful basis for processing (contract, consent, legitimate interest)
• Data minimization (collect only what’s needed)
• Purpose limitation (use data only for stated purposes)
• Storage limitation (retain only as long as necessary)
• Security measures (encryption, access control)
• Data subject rights (access, deletion, portability)
• Cross-border transfer safeguards (Standard Contractual Clauses)

Your rights under GDPR:

• Right to access — Request a copy of your data
• Right to rectification — Correct inaccurate data
• Right to erasure — “Right to be forgotten”
• Right to portability — Export your data
• Right to object — Object to certain processing
• Right to restrict — Limit how we use your data

Exercise rights: Account Settings → Privacy or email privacy@triform.ai DPO contact: dpo@triform.ai

​

CCPA (California Consumer Privacy Act)

Status: ✅ Compliant Scope: California residents Key practices:

• Disclosure of data collection and use
• Opt-out of data “sales” (we don’t sell data)
• Do Not Sell My Personal Information
• Equal service regardless of privacy choices
• Access and deletion rights

Your rights under CCPA:

• Right to know — What data we collect and how it’s used
• Right to delete — Request deletion of your data
• Right to opt-out — Opt out of “sales” (not applicable—we don’t sell)
• Right to non-discrimination — Equal service regardless

Exercise rights: Email privacy@triform.ai Verification: We’ll verify your identity before fulfilling requests

​

SOC 2 Type II

Status: 🟡 Planned (2026) Scope: Trust Services Criteria Framework:

• Security — Protection against unauthorized access
• Availability — Service uptime and reliability
• Processing integrity — Complete, accurate, timely processing
• Confidentiality — Protection of confidential information
• Privacy — Collection, use, retention, disclosure aligned with commitments

What this means:

• Independent audit of our security controls
• Verification of implementation over time (6-12 months)
• Report available to customers upon request (when complete)

​

ISO 27001

Status: 🟡 Planned (2026) Scope: Information Security Management System (ISMS) Framework:

• Risk assessment and treatment
• Security policies and procedures
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• Supplier relationships
• Incident management
• Business continuity
• Compliance

What this means:

• International standard for information security
• Comprehensive security management
• Regular audits and continuous improvement

​

Data protection measures

​

Technical controls

Encryption:

• AES-256 at rest
• TLS 1.2+ in transit
• Encrypted backups

Access control:

• Role-based access (RBAC)
• Session management
• IP allowlisting (Enterprise)

Network security:

• Firewalls and network segmentation
• DDoS protection
• Intrusion detection
• Vulnerability scanning

Code execution:

• Sandboxed environments
• Resource limits
• Dependency scanning
• Static analysis

​

Organizational controls

Policies:

• Information security policy
• Data retention policy
• Incident response plan
• Business continuity plan

Vendor management:

• Security questionnaires
• Contract reviews
• Regular assessments

Physical security:

• Data centers with 24/7 security
• Biometric access controls
• Video surveillance
• Environmental controls

​

Sub-processors

We use trusted third-party services:

​

Infrastructure

Scaleway

• Service: Cloud infrastructure
• Data processed: All customer data
• Location: France, EU/APAC
• Compliance: SOC 2, ISO 27001, GDPR, many others
• DPA: Standard Contractual Clauses

6G AI Sweden

• Service: Inference
• Data processed: Data sent through Agents
• Location: Sweden
• Compliance: SOC 2, ISO 27001, GDPR
• DPA: Standard Contractual Clauses

​

Payment processing

Polar

• Service: Payment processing, Record of Merchant
• Data processed: Payment methods, billing info
• Location: Sweden
• Compliance: PCI DSS Level 1, SOC 2, ISO 27001, GDPR
• DPA: Standard Contractual Clauses

Full list: Available upon request to compliance@triform.ai

​

Data Processing Agreement (DPA)

For GDPR and other regulations, we offer a Data Processing Agreement. What’s included:

• Roles and responsibilities (controller vs. processor)
• Data processing terms
• Security measures
• Sub-processor list
• Data breach notification procedures
• Audit rights
• Data deletion procedures
• Standard Contractual Clauses (for EU transfers)

How to request:

1. Email compliance@triform.ai
2. Provide Organization name and contact
3. We’ll send DPA for review
4. Both parties sign
5. DPA effective upon execution

Available to: All Pro and Enterprise customers

​

Audits and certifications

​

Internal audits

• Quarterly security reviews
• Annual risk assessments
• Continuous penetration testing
• Code security reviews
• Access reviews

​

External audits

• SOC 2 audit (planned)
• ISO 27001 (planned)
• Penetration tests (annual)
• Third-party security assessments

​

Bug bounty program

Status: Coming soon (2026) Scope: Responsible disclosure program Details: Will be announced on our security page

​

Regulatory response

​

Data breach notification

EU (GDPR): Within 72 hours to supervisory authority, without undue delay to affected individuals California (CCPA): Without unreasonable delay Other jurisdictions: Per applicable law Our commitment:

• Investigate thoroughly
• Notify promptly
• Provide clear information
• Assist with mitigation

​

Industry-specific guidance

​

Healthcare

If you’re in healthcare:

• Use de-identified or anonymized data
• Implement additional access controls
• Document your compliance approach

​

Financial services

If you’re in finance:

• Use encryption (automatic)
• Enable audit logging (automatic)
• Implement access reviews
• Document your data flows

​

Education

If you’re in education:

• Minimize student data collection
• Use access controls (automatic)
• Review who has access regularly
• Implement data retention policies

​

Government

If you’re in government:

• Document security practices
• Consider on-premises options (contact sales)

​

Requesting compliance documentation

What’s available:

• Security whitepaper
• DPA (Data Processing Agreement)
• Sub-processor list
• SOC 2 report (when complete)
• Custom security questionnaires

How to request:

1. Email compliance@triform.ai
2. Specify what you need
3. Provide Organization name
4. Include your contact information

NDA required for: SOC 2 reports, detailed security architecture Response time: 5 business days

​

Attestations

We can provide attestations for:

• Data encryption practices
• Access control measures
• Backup and recovery procedures
• Incident response capabilities
• Business continuity planning

Contact: compliance@triform.ai

​

FAQs

Q: Where is my data stored?
A: EU by default. EU and APAC options for Enterprise. Q: Do you sell my data?
A: No, we never sell customer data. Q: Do you support on-premises deployment?
A: Contact sales for availability.

​

Contact

Compliance inquiries: compliance@triform.ai
Privacy questions: privacy@triform.ai
Security concerns: security@triform.ai
DPO (Data Protection Officer): dpo@triform.ai Response time: 5 business days for compliance requests

​

Related

Continue exploring the security documentation to learn about security overview, data retention, and compliance measures.