Skip to main content

Trust & security

Your customers’ conversations are your most sensitive data. We protect them like it.

Tromml captures what your frontline hears in the field. Pricing pressure, competitor moves, accounts going quiet. That’s some of the most sensitive intelligence your business has. Here is how we keep it safe, and where our SOC 2 program stands.

Where we are

The controls are running. The audit is the last step.

Our security policies are approved and the controls on this page run in production today. Our SOC 2 Type I program formalizes that work for an independent auditor, and we’re booked for Q4 2026. The protection is already in place; the audit puts a signature on it.

  1. 01Done

    Policies approved

    14 policies, version 1.0, approved July 2026.

  2. 02Done

    Controls in operation

    The controls on this page run in production today.

  3. 03Q4 2026

    Type I audit

    Independent SOC 2 Type I examination.

The Type I report lands in Q4 2026. We’ll post it here the day it does.

How we protect your data

What actually guards your data.

Six control areas, drawn straight from our approved policies, each running in production today.

Encryption

Encrypted in transit and at rest. TLS 1.2+ on every connection; AES-256 on every database, file store, and backup. Encryption keys are held in Azure Key Vault.

Access control

Least privilege by default. Access to production is role-based and granted only where the job requires it. Multi-factor authentication is enforced across all administrative access.

Logging & monitoring

Activity across our systems is logged and monitored, so unusual access is visible and reviewable, not lost in the noise.

Change management

Code reaches production through peer review and a controlled release process. Nothing ships straight from someone's laptop.

Backups & recovery

Customer data is backed up on a regular schedule and encrypted, with restore testing to confirm recovery works.

Vendor management

Every subprocessor that touches customer data goes through security review, with data-processing terms on file before it handles anything of yours.

The line we don’t cross

Your conversations never become someone else’s training data.

Tromml runs on AI models we’ve selected and configured. But your customer conversations are never used to train public models, never sold, and never shared beyond the subprocessors that run the service. SecureAI Chat is a private workspace. What your frontline says in the field stays yours.

Governance

Fourteen policies. Approved, owned, and reviewed.

Security at Tromml is a program, not a page. It’s owned by our CTO and reviewed at least once a year. These are the policies that govern how we build, operate, and respond.

  • Information Security Policy
  • Access Control Policy
  • Encryption Policy
  • Logging & Monitoring Policy
  • Change Management Policy
  • Secure SDLC Policy
  • Risk Management Policy
  • Data Classification Policy
  • Incident Response Plan
  • Vendor / Third-Party Management Policy
  • Backup Policy
  • Business Continuity & Disaster Recovery Policy
  • Acceptable Use Policy
  • HR / Personnel Security Policy

Approved v1.0 · July 2026 · next scheduled review July 2027.

Where your data lives

Hosted in Microsoft Azure. Here’s every subprocessor.

Your data is hosted in Microsoft Azure data centers in the United States and Canada, with our application database on Supabase. We rely on a short list of subprocessors to run the service. Here are the ones that handle customer data.

SubprocessorPurposeRegion
Microsoft AzureCloud hosting, storage, and key managementUS East · Canada Central
SupabaseApplication databaseUnited States
Azure OpenAIAI inference. Not trained on your data.United States
AWS BedrockAI inference. Not trained on your data.United States
GitHubSource code and build pipelineUnited States

A full, current subprocessor list is available on request.

On the way to the audit

What the audit adds on top.

The controls are in operation. A Type I audit puts an independent examiner behind them. Ahead of Q4, we’re:

  • Documenting each control against the SOC 2 criteria
  • Collecting the evidence an auditor will sample
  • Gathering security reports for every subprocessor on file
  • Booking the independent Type I examination

None of it changes how your data is protected today. It changes who has signed off on it.

Responsible disclosure

Found something? Tell us.

If you believe you’ve found a security vulnerability in Tromml, email security@tromml.com. We’ll acknowledge you, investigate, and keep you posted. We don’t pursue researchers acting in good faith.

See it for yourself

Security you can question, on a product you can try.

Last updated: 07/09/2026