Legal

Privacy Policy

Last updated: May 23, 2026

Trusto ("Trusto," "we," "us," or "our") provides a security and compliance platform that helps organizations monitor controls, collect evidence, and manage integrations with cloud and workplace tools. This Privacy Policy explains how we collect, use, disclose, and protect information when you visit trustosec.com, use our web application at app.trustosec.com, or connect third-party services through our platform.

1. Who this policy applies to

This policy applies to:

• Visitors to our website and marketing pages;
• Users who create accounts or are invited to an organization on Trusto;
• Administrators who connect integrations (such as Google Workspace, AWS, GitHub, Slack, and others) on behalf of their organization;
• Prospective customers who request a demo or contact us.

When an organization uses Trusto, that organization is typically the controller of data processed about its users and infrastructure. Trusto acts as a processor for customer data processed through the platform, except where we act as a controller for account, billing, and marketing data.

2. Information we collect

Account and profile information

When you register or are invited, we may collect your name, email address, organization name, role, authentication identifiers, and preferences.

Integration and compliance data

When you connect third-party services, we access and store data necessary to provide compliance monitoring, evidence collection, and security insights. Depending on the integration and permissions you grant, this may include:

• Configuration metadata and resource inventories;
• User, group, domain, and role information (read-only where applicable);
• Audit logs, usage reports, and security-related events;
• Evidence artifacts, control status, findings, and remediation notes.

We only request the minimum scopes or permissions needed to deliver the features you enable.

Google Workspace and Google OAuth

If you connect Google Workspace, you authorize Trusto via Google OAuth. With your consent, we may access Google user data limited to the scopes shown during authorization, which typically include read-only Admin SDK directory and reporting scopes and basic profile information (such as email address) to identify the connecting administrator.

Trusto's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google Workspace data solely to provide and improve Trusto features you request—such as compliance checks, evidence collection, and reporting—and not for advertising or unrelated purposes.

You can revoke Trusto's access at any time through your Google Account permissions page or by disconnecting the integration in Trusto.

Usage, device, and log data

We automatically collect technical information such as IP address, browser type, device identifiers, pages viewed, timestamps, and diagnostic logs to secure and operate our services.

Communications

If you contact us or request a demo, we collect the information you provide (such as name, email, company, and message content).

3. How we use information

We use information to:

• Provide, maintain, and improve the Trusto platform;
• Authenticate users and manage organizations and access controls;
• Run compliance checks, generate reports, and store evidence;
• Respond to support requests and communicate about the service;
• Detect, prevent, and address security incidents, fraud, and abuse;
• Comply with legal obligations and enforce our terms;
• Analyze aggregated, de-identified usage to improve product quality.

4. Legal bases (EEA/UK users)

Where applicable, we process personal data based on: performance of a contract; legitimate interests (such as securing our platform and improving services); consent (where required, including certain integrations); and compliance with legal obligations.

5. How we share information

We do not sell your personal information. We may share information with:

• Service providers that help us host, operate, authenticate, monitor, and support the platform (for example, cloud infrastructure, database, and email providers), subject to contractual confidentiality and security obligations;
• Your organization, when you use Trusto as a member of that organization;
• Integration partners, only as directed by you when connecting those services;
• Legal and safety recipients, when required by law or to protect rights, safety, and security;
• Business transfers, in connection with a merger, acquisition, or asset sale, with notice where required.

6. Data retention

We retain information for as long as needed to provide the service, fulfill the purposes described in this policy, comply with legal obligations, resolve disputes, and enforce agreements. Integration data retention may depend on your organization's settings and subscription. You may request deletion of account data subject to applicable law and contractual requirements.

7. Security

We implement administrative, technical, and organizational measures designed to protect information, including encryption in transit, access controls, and monitoring. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

8. International transfers

Trusto may process data in the United States and other countries where we or our service providers operate. Where required, we use appropriate safeguards for cross-border transfers.

9. Your rights and choices

Depending on your location, you may have rights to access, correct, delete, restrict, or object to certain processing of your personal data, and to data portability. You may also withdraw consent where processing is consent-based. To exercise rights, contact us at privacy@trustosec.com. We may need to verify your identity. If you are an end user of a customer organization, please contact your organization administrator first.

10. Cookies and similar technologies

Our website and application may use cookies and similar technologies for authentication, preferences, analytics, and security. You can control cookies through your browser settings; disabling cookies may affect functionality.

11. Children's privacy

Trusto is not directed to children under 16, and we do not knowingly collect personal information from children.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the "Last updated" date. Material changes may be communicated through the platform or by email where appropriate.

13. Contact us

If you have questions about this Privacy Policy or our data practices, contact:

Trusto
Email: privacy@trustosec.com
Support: lucas@trustosec.com
Website: https://www.trustosec.com