Who has access to my files?
Your privacy and security are extremely important to us. We realize that you trust Trint every day to keep your information secure, and your content and data protected.
Access to customer data is tightly managed with technical and administrative procedures whereby explicit written consent must be sought from the customer prior to access.
Our team can see the titles of your files but does not have access to the content of your uploaded materials, and we are required to ask you for permission and the express sharing of your content before we can review it (in instances of an inquiry to Support, for example).
Where is your data stored?
Transcripts are securely stored on Amazon Web Services in the us-east-1 (N. Virginia) region, or if you have an Enterprise account in Europe, in eu-west-1 (Dublin). All data is encrypted at-rest using the industry standard AES-256 algorithm.
The practice of storing data in the United States is GDPR compliant:
"Transfers may be made where the Commission has decided that a third country, a territory or one or more specific sectors in the third country, or an international organisation ensures an adequate level of protection." - pg. 41
The European Commission recognizes the US as having an adequate level of protection and Trint has signed an explicit GDPR-compliant agreement with AWS.
Who can access the AWS environment where they store data?
Access to the production AWS environment is limited to a small number of infrastructure administrators and is subject to the infrastructure access logging stated above.
AWS access is via single sign-on with corporate credentials including 2FA. Additionally, all access credentials are temporary and automatically revoked daily - requiring reacquisition when next required.
How long is your data stored?
Original uploaded media is retained for 30 days. Transcripts and transcoded media, required for the purpose of transcript playback, are retained until the user deletes the transcript from their Trint account. Secure deletion may additionally be requested via the Trint customer support team.
Deleting your data
Trint is GDPR compliant, and as such we are required by law to erase user data upon request within the legally prescribed timeframe (30 days). This is a permanent procedure. It cannot be undone.
If you would like us to erase your account and data, please contact us at firstname.lastname@example.org.
The deletion process is as follows:
A user will send a data deletion/account deletion request in to Trint Support
Trint will remove your information from the internal management systems that we use (billing, accounts, etc.)
Trint will wipe your data from our servers, permanently erasing your files, uploads, etc. (this is processed in bulk on the last day of the month)
Trint will remove you from our Marketing email lists (this is processed in bulk on the last day of the month)
Finally, Trint will remove your email address and queries/requests from our Support database
Contacting you upon completion of this process would require us to keep hold of your data in the form of an e-mail address, as such, this will not be possible after your data has been removed.
Please note: Any further interaction with Trint on the part of the user after this process has been started constitutes a new interaction, resetting the 30 day timeframe.
We adhere to industry best practice when it comes to encryption. Trint uses HTTPS (TLS 1.2+) to secure your data between your web browser and our servers. When your data is in our custody, it is encrypted using the industry standard AES-256 algorithm.
ISO 27001 Certification
Trint is ISO 27001 certified.
The International Organization for Standardization (ISO) creates guidelines and specifications for the regulation of global standards. The ISO 27001 was created by the ISO to provide a global standard for an information security management system (ISMS).
ISO 27001 requires the management team to implement three broad practices:
• Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities and impacts
• Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable
• Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis
Trint’s security practices are now ISO 27001 certified as of September 2019.
We regularly perform and update our asset-based information security risk assessment as part of our ISO27001 compatible information security management system.
Trint does not currently have any HIPAA compliance certifications and we have not completed a formal HIPAA certification process. We have worked with some of our clients in their process of seeking IRB permission to use Trint, which they have received, but we have no formal compliance process in place at this time.
Trint enforces a strong password policy (at least 8 characters long; at least 1 uppercase (A-Z) and 1 lowercase (a-z) letters and a number (0-9)) at the point of account sign-up. Users can change their password at any time either within the application itself or by requesting a password reset link be sent to their registered email address. Additionally, Trint users can sign in using Google, Facebook or Apple.
Finally, Enterprise account users can avail of Single Sign On (SSO), which allows integration into the authentication systems of organizations.
Auditing of security events
Trint maintains an audit log of all user sign-ups and sign-ins. Additionally, all system administrative activity related to user account management is logged (e.g. a user account deletion request). Furthermore, Trint maintains intrusion detection systems on its platform infrastructure to proactively monitor and alert on any anomalous behaviour or access.
Trint has access logs at both the infrastructure and the application level that provide an audit trail of access/modification of data, code and infrastructure configuration.
For infrastructure, we operate proactive intrusion detection and alerting. For data, this is a forensic log intended to be used in the event of unauthorized access/modification.
Local data storage or caching of information
Trint clears browser local storage for its domain on user log-out.
What measures have you put in place to support consistent solution availability?
The Trint application is implemented using highly-available, geographically-distributed redundant systems with automatic failover. Automated backups are taken every 4 hours with additional geographically separated snapshots taken every 24 hours.
Our expected system availability of a 12-month period is > 95%.
Trint maintains and tests both disaster recovery and business continuity plans on a regular basis and we target a return-to-operation of < 4 hours in a worst-case-scenario situation.
In addition to internal formal code reviews the Trint platform code is subject to automated security scanning using Veracode and Snyck.
Trint incorporates manual code review as a mandatory stage of the software development process. Additionally, we operate automated static application security testing (SAST) and dynamic application security testing (DAST). We further employ dependency vulnerability scanning.
Trint contracts with a external vendor to provide twice-yearly penetration testing of the platform. An executive summary of the latest report is available, under NDA, by request.
Trint is Cyber Essentials certified (certificate #: IASME-A-05792)