To be clear however, the merit of using Trint is that no one can see your transcript - we use machine learning-powered AI which converts your audio into text, thus eliminating the middleman and any need for human involvement on our part.
How is access to data managed?
Access to customer data is tightly managed with technical and administrative procedures whereby explicit written consent must be sought from the customer prior to access.
Our team does not have access to your uploaded materials, and we are required to ask you for permission and the express sharing of your content before we can review it (in instances of an inquiry to Support, for example).
Where is your data stored?
Transcripts are securely stored on Amazon Web Services in the us-east-1 (N. Virginia) region. All data is encrypted at-rest using the industry standard AES-256 algorithm.
The practice of storing data in the United States is GDPR compliant:
"Transfers may be made where the Commission has decided that a third country, a territory or one or more specific sectors in the third country, or an international organisation ensures an adequate level of protection." - pg. 41
The European Commission recognizes the US as having an adequate level of protection and Trint has signed an explicit GDPR-compliant agreement with AWS.
Who can access the AWS environment where they store data?
Access to the production AWS environment is limited to a small number of infrastructure administrators and is subject to the infrastructure access logging stated above
AWS access is via single sign-on with corporate credentials including 2FA. Additionally, all access credentials are temporary and automatically revoked daily - requiring reacquisition when next required.
How long is your data stored?
Original uploaded media is retained for 30 days. Transcripts and transcoded media, required for the purpose of transcript playback, are retained until the user deletes the transcript from their Trint account. Secure deletion may additionally be requested via the Trint customer support team.
Deleting your data
Trint is GDPR compliant, and as such we are required by law to erase user data upon request within the legally prescribed timeframe (30 days). This is a permanent procedure. It cannot be undone.
If you would like us to erase your account and data, please contact us at email@example.com.
The deletion process is as follows:
- A user will send a data deletion/account deletion request in to Trint Support
- Trint will remove your information from the internal management systems that we use (billing, accounts, etc.)
- Trint will wipe your data from our servers, permanently erasing your files, uploads, etc. (this is processed in bulk on the last day of the month)
- Trint will remove you from our Marketing email lists (this is processed in bulk on the last day of the month)
- Finally, Trint will remove your email address and queries/requests from our Support database
Contacting you upon completion of this process would require us to keep hold of your data in the form of an e-mail address, as such, this will not be possible after your data has been removed.
Please note: Any further interaction with Trint on the part of the user after this process has been started constitutes a new interaction, resetting the 30 day timeframe.
We adhere to industry best practice when it comes to encryption. Trint uses HTTPS (TLS 1.2+) to secure your data between your web browser and our servers. When your data is in our custody, it is encrypted using the industry standard AES-256 algorithm.
ISO 27001 Certification
We are in the process of obtaining formal ISO 27001 certification and while this process will take some months yet to complete you can be assured that Trint operates an Information Security Management System aligned with the principles of the ISO 27001 standard in preparation for that certification.
We regularly perform and update our asset-based information security risk assessment as part of our ISO27001 compatible information security management system.
Trint does not currently have any HIPAA compliance certifications and we have not completed a formal HIPAA certification process. We have worked with some of our clients in their process of seeking IRB permission to use Trint, which they have received, but we have no formal compliance process in place at this time.
Trint enforces a strong password policy (at least 8 characters long; at least 1 uppercase (A-Z) and 1 lowercase (a-z) letters and a number (0-9)) at the point of account sign-up. Users can change their password at any time either within the application itself or by requesting a password reset link be sent to their registered email address.
Auditing of security events
Trint maintains an audit log of all user sign-ups and sign-ins. Additionally, all system administrative activity related to user account management is logged (e.g. a user account deletion request). Furthermore, Trint maintains intrusion detection systems on its platform infrastructure to proactively monitor and alert on any anomalous behaviour or access.
Trint has access logs at both the infrastructure and the application level that provide an audit trail of access/modification of data, code and infrastructure configuration.
For infrastructure, we operate proactive intrusion detection and alerting. For data, this is a forensic log intended to be used in the event of unauthorized access/modification.
Local data storage or caching of information
Trint clears browser local storage for its domain on user log-out.
What measures have you put in place to support consistent solution availability?
The Trint application is implemented using highly-available, geographically-distributed redundant systems with automatic failover. Automated backups are taken every 4 hours with additional geographically separated snapshots taken every 24 hours.
Our expected system availability of a 12-month period is > 95%.
Trint maintains and tests both disaster recovery and business continuity plans on a regular basis and we target a return-to-operation of < 4 hours in a worst-case-scenario situation.
In addition to internal formal code reviews the Trint platform code is subject to automated security scanning using Veracode and Snyck.
Trint incorporates manual code review as a mandatory stage of the software development process. Additionally, we operate automated static application security testing (SAST) and dynamic application security testing (DAST). We further employ dependency vulnerability scanning.
Trint contracts with a external vendor to provide twice-yearly penetration testing of the platform. An executive summary of the latest report is available, under NDA, by request.
In the event of a breach, how does Trint respond?
Trint responds in accordance with our incident response procedure which includes timely correspondence with affected customers.