trelliss

Security

Security is foundational to the Trelliss platform. As a multi-tenant helpdesk handling sensitive customer data, we take a defence-in-depth approach to protecting your information at every layer of the stack.

Encryption in Transit

All data transmitted between your browser and our servers is protected with 256-bit TLS encryption. We enforce HTTPS on all connections and support TLS 1.2 and 1.3.

Encryption at Rest

All data stored in Azure SQL databases and Azure Blob Storage is encrypted at rest using Azure-managed encryption keys with AES-256 encryption.

Tenant Data Isolation

Each tenant is provisioned with a completely separate Azure SQL database. Your data is never co-mingled with other tenants. Database-level access controls enforce strict isolation at the infrastructure layer.

Secrets Management

All sensitive configuration - API keys, connection strings, and certificates - is stored in Azure Key Vault with access policies restricted to authorised services only. Secrets are never stored in code or configuration files.

Authentication & Access Control

We support Microsoft Entra ID (Azure AD) single sign-on, Google OAuth, email/password with bcrypt hashing (work factor 12), and magic link authentication. Role-based access control ensures users only see what they should.

Infrastructure Security

Trelliss runs on Azure Container Apps with managed identity, private virtual networks, and Azure DDoS Protection. Our infrastructure is monitored 24/7 with Azure Application Insights and automated alerting.

Compliance

Trelliss is built on Microsoft Azure, which maintains a comprehensive set of compliance certifications including SOC 1/2/3, ISO 27001, ISO 27018, and GDPR. Our platform inherits these infrastructure-level controls and adds application-level security measures on top.

Vulnerability Management

We perform regular security assessments of our codebase and dependencies. Third-party packages are monitored for known vulnerabilities and updated promptly. We follow OWASP Top 10 guidelines in our development practices to prevent common web application vulnerabilities including SQL injection, cross-site scripting, and cross-site request forgery.

Incident Response

We maintain an incident response plan for security events. In the event of a data breach, we will notify affected tenants within 72 hours in accordance with GDPR requirements, and provide full transparency about the scope and impact of the incident.

Responsible Disclosure

If you discover a security vulnerability in Trelliss, we encourage you to report it responsibly. Please email [email protected] with details of the vulnerability. We will acknowledge receipt within 24 hours and work with you to understand and address the issue.

Questions

For security-related questions or concerns, please contact us at [email protected].