TrueSecurixTrueSecurix
Security review

Security questionnaire

These are straight answers to the questions enterprise security teams commonly ask, so you can start your review immediately. We are also glad to complete your own questionnaire and sign a mutual NDA. Where the honest answer is "not yet", we say so.

Company and product

What does the product do?

TrueSecurix is an identity and document fraud-detection API. A customer sends a selfie, an ID image and/or a bank-statement PDF and receives a fraud-risk score, a pass/review/flag decision and the evidence behind it.

Where is the service hosted?

Microsoft Azure, India region. Verification traffic is processed in India.

Is the product multi-tenant?

Yes. Every request is strictly scoped to the account that made it; one account can never reach another's data.

Data handling

Do you store end-user selfies or ID images?

No. Images and PDFs are analysed in memory and never written to disk as files. We retain only a one-way SHA-256 hash, the score and the decision.

Do you store raw government ID numbers?

No. Raw ID numbers are not stored; reconciliation figures are rounded so an exact private amount is not retained.

How long is data retained?

Verification metadata (hash, score, decision, timestamp) is retained for the customer's audit history. Customers can export and delete their data from the dashboard.

Can we get a Data Processing Agreement?

Yes, on request.

Security controls

Is data encrypted in transit?

Yes, TLS/HTTPS with HSTS enabled.

How are API keys stored?

Only a SHA-256 hash is stored; keys are never held in plaintext and can be revoked individually and instantly. Keys can be restricted to an IP/CIDR allowlist.

How is authentication separated?

Dashboard sessions and API keys are separate credentials. An API key gives no dashboard access and a session cannot call the machine API. Team accounts support owner/admin/member roles.

Is the admin console protected?

Yes, a strong token with optional TOTP two-factor authentication.

Do you rate-limit and protect against abuse?

Yes, per-account rate limits, upload-size caps, decompression-bomb protection and request timeouts.

Is there an audit log?

Yes, an append-only, immutable audit log of logins, key changes, payments and admin actions.

Is the network segmented?

Yes. The engine and database run on a private network; only the HTTPS reverse proxy is exposed.

Reliability

What is your availability target?

99.5% on standard plans; a credit-backed contractual SLA is available on enterprise agreements. See the SLA page.

How do you back up data?

Daily database backups with a retention window; backups are verified. Because images are not stored, there are no end-user image files to lose.

How does the system fail?

Fail-safe. If the engine is degraded, the API returns a clear error and does not charge, rather than a falsely confident result. Uncertain cases route to human review, never an auto-reject.

Compliance and certifications

Are you DPDP-aligned?

Yes; our practices align with India's DPDP Act, 2023, and we act as a data processor for the customer. See the Compliance page.

Do you hold SOC 2 or ISO 27001?

Not yet, and we do not claim to. We are building toward independent certification and will share controls and complete your questionnaire in the meantime.

Can you provide a penetration-test report?

A third-party VAPT can be arranged and shared under NDA.

How do we report a vulnerability?

security@truesecurix.com, with a machine-readable contact at /.well-known/security.txt.

Still need something?

Send your questionnaire or specific questions to contact@truesecurix.com and we will turn it around quickly.