Security questionnaire
These are straight answers to the questions enterprise security teams commonly ask, so you can start your review immediately. We are also glad to complete your own questionnaire and sign a mutual NDA. Where the honest answer is "not yet", we say so.
Company and product
TrueSecurix is an identity and document fraud-detection API. A customer sends a selfie, an ID image and/or a bank-statement PDF and receives a fraud-risk score, a pass/review/flag decision and the evidence behind it.
Microsoft Azure, India region. Verification traffic is processed in India.
Yes. Every request is strictly scoped to the account that made it; one account can never reach another's data.
Data handling
No. Images and PDFs are analysed in memory and never written to disk as files. We retain only a one-way SHA-256 hash, the score and the decision.
No. Raw ID numbers are not stored; reconciliation figures are rounded so an exact private amount is not retained.
Verification metadata (hash, score, decision, timestamp) is retained for the customer's audit history. Customers can export and delete their data from the dashboard.
Yes, on request.
Security controls
Yes, TLS/HTTPS with HSTS enabled.
Only a SHA-256 hash is stored; keys are never held in plaintext and can be revoked individually and instantly. Keys can be restricted to an IP/CIDR allowlist.
Dashboard sessions and API keys are separate credentials. An API key gives no dashboard access and a session cannot call the machine API. Team accounts support owner/admin/member roles.
Yes, a strong token with optional TOTP two-factor authentication.
Yes, per-account rate limits, upload-size caps, decompression-bomb protection and request timeouts.
Yes, an append-only, immutable audit log of logins, key changes, payments and admin actions.
Yes. The engine and database run on a private network; only the HTTPS reverse proxy is exposed.
Reliability
99.5% on standard plans; a credit-backed contractual SLA is available on enterprise agreements. See the SLA page.
Daily database backups with a retention window; backups are verified. Because images are not stored, there are no end-user image files to lose.
Fail-safe. If the engine is degraded, the API returns a clear error and does not charge, rather than a falsely confident result. Uncertain cases route to human review, never an auto-reject.
Compliance and certifications
Yes; our practices align with India's DPDP Act, 2023, and we act as a data processor for the customer. See the Compliance page.
Not yet, and we do not claim to. We are building toward independent certification and will share controls and complete your questionnaire in the meantime.
A third-party VAPT can be arranged and shared under NDA.
security@truesecurix.com, with a machine-readable contact at /.well-known/security.txt.
Still need something?
Send your questionnaire or specific questions to contact@truesecurix.com and we will turn it around quickly.