TruthScan - Documentation & Security

Security Questions

Category	Question	Response
Certifications & Compliance	What industry certifications or standards do you comply with (SOC 2, ISO 27001, HIPAA, etc.)?	We are SOC 2 Type II certified and follow OWASP best practices. We're are ISO 27001 certified and can support HIPAA requirements for healthcare clients.
Data Storage & Location	Does TruthScan store/process/transmit customer data outside US?	Custom deployments are available if you need to keep all data within your country. TruthScan's standard production infrastructure is hosted on various cloud providers across the United States, including Cloudflare, Supabase, Vercel, Digital Ocean, Vultr, SambaNova, and Groq.
Data Privacy & Usage	Does TruthScan use customer data for training of AI models or in development of any products?	No, TruthScan does not use customer data for training AI models or in the development of any products. All customer data is treated as confidential and is protected by industry-standard encryption. The data is used only for the purposes explicitly stated in agreements between TruthScan and user entities.
Data Privacy & Usage	Please describe the data flow upon our company uploading data to your services.	This can be customized based on your privacy needs. For our standard production infrastructure, your data interacts directly with our REST API server on DigitalOcean in the United States, and an AI detection score is returned directly.
Data Privacy & Usage	What third parties have access to the data that is uploaded to your services?	This is also customizable, and if your privacy needs are especially high, we can provide custom terms. For our standard production infrastructure Third-party vendors and employees have access to TruthScan's information processing systems and the data contained in them. This includes data accessed by licensed third parties, which is deployed to and used by their clients. Non-Disclosure / Confidentiality agreements are signed by vendors, third parties, contractors, and subcontractors to protect TruthScan's information assets.
Personnel & Access Management	Does TruthScan have a member of the organisation with dedicated information security duties?	Yes. The Information Security Officer / COO Benjamin Miller is responsible for the performance of the information security program of the organization, including identifying risks, threats, and vulnerabilities, and adding controls to mitigate these risks.
Personnel & Access Management	Is a background check required for all employees accessing and handling CSO Group data?	Yes. Background verification checks are conducted on prospective employees, where feasible, aligning with business needs and potential risks. This includes employment history verification, academic and professional qualification checks, identity validation, and criminal background checks.
Certifications & Compliance	Does TruthScan have written information security policies?	Yes. TruthScan maintains a company-wide Information Security Policy, supported by detailed standards and training to ensure that employees understand their roles and responsibilities regarding security and significant events. These policies are published and made available to internal staff via the company intranet.
Personnel & Access Management	Do terms and conditions of employment (including permanent, contract and temporary personnel) and contractual terms with third parties with access to company information clearly state the requirement to follow information security policy and procedures?	Yes. Employment terms and conditions for TruthScan employees and contractors outline their information security responsibilities and related obligations, both during and post-employment. Contracts with third parties also include information security requirements to ensure compliance with TruthScan's security policies and procedures.
Personnel & Access Management	Do employees (incl third parties acting on behalf of TruthScan) with access to partner information sign a non-disclosure or confidentiality agreement prior to accessing CSO Group information?	Yes. Both staff members and contract partners of TruthScan are required to sign and comply with the non-disclosure agreement (NDA) that is established and maintained by the TruthScan's HR team, where applicable.
Personnel & Access Management	Does TruthScan require MFA for all user access to its administrative and supporting systems?	Yes. Access to critical systems requires multi-factor authentication (MFA) wherever possible.
Personnel & Access Management	Does TruthScan conduct user access reviews at least on an annual basis on systems where the partner's information would be stored?	Yes. User access reviews are conducted quarterly for production systems and at least annually for non-production systems by the Information Security Officer with the help of system administrators.
Security Training & Awareness	Do all staff of TruthScan receive information security awareness training?	Yes. All staff receive annual security awareness training focused on maintaining the security of systems and data.
Infrastructure Security	Is active antivirus & antimalware software installed on all endpoints, infrastructure, servers, and cloud systems that are storing or processing or accessing CSO Group data?	Yes. TruthScan requires that all endpoints with access to critical systems use antivirus software to protect from malware. This includes endpoints, infrastructure, servers, and cloud systems that store or process critical data.
Infrastructure Security	Has TruthScan deployed encryption throughout the lifecycle of data?	Yes. TruthScan encrypts data at rest using AES 256-bit and data in transit using TLS. Encryption is applied throughout the data lifecycle to protect sensitive information.
Infrastructure Security	Do TruthScan have data loss prevention controls that protect customer data?	Yes. TruthScan uses Data Leakage Prevention (DLP) tools to monitor and restrict data flow from potential endpoints to unauthorized systems. Additionally, data is encrypted both at rest and in transit using industry-standard encryption methods such as AES-256 and TLS. Regular backups are maintained to protect sensitive data from loss.
Data Privacy & Usage	Do your administrators have access to customer uploaded data?	Yes. Access to customer data is limited to authorized employees, contractors, and business partners with a specific need, following the principle of least privilege. Multi-factor authentication is required wherever possible.
Certifications & Compliance	For authentication data, please detail how credentials are stored, hashing or encryption methods, any salting and details of length, hash function etc.	Yes. Passwords are encrypted in transit and at rest using strong hashing algorithms. Multi-factor authentication is recommended. Passwords should be at least 12 characters long, with a combination of alphanumeric and special characters. Salting is applied to enhance security.
Data Storage & Location	Where is the service hosted?	Custom deployments in partner's location are possible if needed. The main production service is hosted on Cloudflare, Supabase, Vercel, Digital Ocean, Vultr, SambaNova, and Groq in various regions across the United States.
Infrastructure Security	Do you deploy separate instances for each user? How do you prevent customers from accessing each others data?	Yes. TruthScan uses a virtual and secure network environment, hosting the application inside a Virtual Private Cloud (VPC) with accompanying firewalls to ensure protection. Data is encrypted and secured over HTTPS to prevent unauthorized access between customers.
Logging & Monitoring	If yes, are logs kept of access to this information including reason for access?	Yes. Logs are kept of access to information, including the reason for access, as part of security-relevant logging activities. These logs are securely maintained to support investigations of incidents and are protected against tampering and unauthorized access.
Logging & Monitoring	Are logs of user access, changes, network, application, device generated, centralised, and reviewed?	Yes. Logs of user access, changes, network, application, and devices are generated and centralized. Monitoring and logging activities are configured to capture security-relevant logs and are reviewed to ensure compliance with legal and contractual requirements. Logs are securely maintained to support investigations of incidents.
Infrastructure Security	Is physical access to data processing equipment (e.g., server rooms, communications rooms, filing cabinets) restricted?	Yes. Physical access and security to the data center facility are restricted to authorized personnel. The responsibility for physical security is transferred to the infrastructure provider, ensuring the security, availability, and confidentiality of production systems and customer data.
Third-Party Management	Do contracts with TruthScan third parties (partner's 4th parties) contain Security and Privacy requirements?	Yes. Contracts with third parties include information security requirements to ensure compliance with TruthScan's security policies and procedures. Non-Disclosure / Confidentiality agreements are also signed by vendors, third parties, contractors, and subcontractors as applicable.
Third-Party Management	Are regular reviews performed on TruthScan's third-parties (Partner's 4th parties)?	Yes. TruthScan periodically reviews the quality of outsourced operations through methods such as reviewing subservice organizations' SOC reports and holding regular meetings to discuss performance.
Backup & Disaster Recovery	Are TruthScan systems backed up according to a regular schedule and checked for successful backup performed?	Yes. TruthScan systems have a daily backup schedule to protect sensitive data. Backups are restored at least annually to ensure data is readable and usable. Restoration tests are documented and performed by administrators along with the Information Security Officer.
Data Storage & Location	Does TruthScan store backups offsite? Please explain in Comments	Yes. Backups are stored at a redundant location outside the production environment to minimize risks. Procedures for offsite storage are considered to ensure data safety in case of emergencies or disasters.
Data Storage & Location	Does TruthScan replicate or store data in locations outside of Australia? If yes, please list all locations where partner's information will be stored.	Custom deployments are available to keep all data within Australia. For our main production systems data is stored in various regions across the United States, including infrastructure hosted on Cloudflare, Supabase, Vercel, Digital Ocean, Vultr, SambaNova, and Groq.
Infrastructure Security	Is TruthScan Network, Datacentre and Cloud Services providers boundaries protected by firewalls?	Yes. The internal networks of Cloudflare, Supabase, Vercel, Digital Ocean, Vultr, SambaNova, and Groq are protected by deny-by-default security groups and firewalls to ensure that only deliberately allowed traffic can pass through.
Infrastructure Security	What is the frequency of vulnerability scanning practices?	Vulnerability scanning tools are used to automatically scan systems on the network daily to identify potential vulnerabilities.
Infrastructure Security	Does TruthScan perform annual penetration testing of its systems?	Yes. TruthScan uses vulnerability scanning tools to automatically scan systems on the network daily to identify potential vulnerabilities. Additionally, an annual technical assessment and review are performed by a competent third-party along with the Engineering team to identify any potential vulnerabilities in the networks and other production systems.
Infrastructure Security	Are Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) used by TruthScan?	Yes. Network-based intrusion prevention/detection systems are deployed to cover critical network segments within IT infrastructure.
Personnel & Access Management	Are employees able to access partner's information from outside TruthScan offices/locations? How is this access secured?	By default employees can access information from outside TruthScan offices. But if needed, a custom deployment could further restrict this access. This access is secured using multi-factor authentication (MFA) and encrypted connections via VPN. Access is controlled by role-based security architecture, ensuring only authorized users can access necessary information. Additionally, all data is encrypted using TLS for data in transit and AES-256 for data at rest.
Backup & Disaster Recovery	Does the organisation have a disaster recovery plan? Which is tested on a regular basis?	Yes. The organization has a disaster recovery plan that is tested regularly through simulations and audits to ensure its effectiveness and alignment with compliance requirements.
Certifications & Compliance	If an information security breach involving partner's data occurred, would partner be notified of the breach?	Yes. In the case of a sensitive customer data breach, the Information Security Officer shall notify the competent authority without undue delay and, where feasible, no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Certifications & Compliance	Does the TruthScan have a formal Incident Response plan?	Yes. TruthScan has an incident management framework that includes defined processes, roles, communications, responsibilities, and procedures for detection, escalation, and response to incidents internally and to customers. Security incidents are escalated to privacy, legal, customer, or senior management team(s) and assigned a severity rating. Post-mortem activities are conducted for incidents with critical severity ratings.
Certifications & Compliance	Has TruthScan tested their incident response plan within the last 12 months?	Yes. TruthScan has tested their incident response plan quarterly as part of their regular business continuity and disaster recovery measures, which are reviewed and tested periodically.

Security Questions

Category	Question	Response
Certifications & Compliance	What industry certifications or standards do you comply with (SOC 2, ISO 27001, HIPAA, etc.)?	We are SOC 2 Type II certified and follow OWASP best practices. We're are ISO 27001 certified and can support HIPAA requirements for healthcare clients.
Data Storage & Location	Does TruthScan store/process/transmit customer data outside US?	Custom deployments are available if you need to keep all data within your country. TruthScan's standard production infrastructure is hosted on various cloud providers across the United States, including Cloudflare, Supabase, Vercel, Digital Ocean, Vultr, SambaNova, and Groq.
Data Privacy & Usage	Does TruthScan use customer data for training of AI models or in development of any products?	No, TruthScan does not use customer data for training AI models or in the development of any products. All customer data is treated as confidential and is protected by industry-standard encryption. The data is used only for the purposes explicitly stated in agreements between TruthScan and user entities.
Data Privacy & Usage	Please describe the data flow upon our company uploading data to your services.	This can be customized based on your privacy needs. For our standard production infrastructure, your data interacts directly with our REST API server on DigitalOcean in the United States, and an AI detection score is returned directly.
Data Privacy & Usage	What third parties have access to the data that is uploaded to your services?	This is also customizable, and if your privacy needs are especially high, we can provide custom terms. For our standard production infrastructure Third-party vendors and employees have access to TruthScan's information processing systems and the data contained in them. This includes data accessed by licensed third parties, which is deployed to and used by their clients. Non-Disclosure / Confidentiality agreements are signed by vendors, third parties, contractors, and subcontractors to protect TruthScan's information assets.
Personnel & Access Management	Does TruthScan have a member of the organisation with dedicated information security duties?	Yes. The Information Security Officer / COO Benjamin Miller is responsible for the performance of the information security program of the organization, including identifying risks, threats, and vulnerabilities, and adding controls to mitigate these risks.
Personnel & Access Management	Is a background check required for all employees accessing and handling CSO Group data?	Yes. Background verification checks are conducted on prospective employees, where feasible, aligning with business needs and potential risks. This includes employment history verification, academic and professional qualification checks, identity validation, and criminal background checks.
Certifications & Compliance	Does TruthScan have written information security policies?	Yes. TruthScan maintains a company-wide Information Security Policy, supported by detailed standards and training to ensure that employees understand their roles and responsibilities regarding security and significant events. These policies are published and made available to internal staff via the company intranet.
Personnel & Access Management	Do terms and conditions of employment (including permanent, contract and temporary personnel) and contractual terms with third parties with access to company information clearly state the requirement to follow information security policy and procedures?	Yes. Employment terms and conditions for TruthScan employees and contractors outline their information security responsibilities and related obligations, both during and post-employment. Contracts with third parties also include information security requirements to ensure compliance with TruthScan's security policies and procedures.
Personnel & Access Management	Do employees (incl third parties acting on behalf of TruthScan) with access to partner information sign a non-disclosure or confidentiality agreement prior to accessing CSO Group information?	Yes. Both staff members and contract partners of TruthScan are required to sign and comply with the non-disclosure agreement (NDA) that is established and maintained by the TruthScan's HR team, where applicable.
Personnel & Access Management	Does TruthScan require MFA for all user access to its administrative and supporting systems?	Yes. Access to critical systems requires multi-factor authentication (MFA) wherever possible.
Personnel & Access Management	Does TruthScan conduct user access reviews at least on an annual basis on systems where the partner's information would be stored?	Yes. User access reviews are conducted quarterly for production systems and at least annually for non-production systems by the Information Security Officer with the help of system administrators.
Security Training & Awareness	Do all staff of TruthScan receive information security awareness training?	Yes. All staff receive annual security awareness training focused on maintaining the security of systems and data.
Infrastructure Security	Is active antivirus & antimalware software installed on all endpoints, infrastructure, servers, and cloud systems that are storing or processing or accessing CSO Group data?	Yes. TruthScan requires that all endpoints with access to critical systems use antivirus software to protect from malware. This includes endpoints, infrastructure, servers, and cloud systems that store or process critical data.
Infrastructure Security	Has TruthScan deployed encryption throughout the lifecycle of data?	Yes. TruthScan encrypts data at rest using AES 256-bit and data in transit using TLS. Encryption is applied throughout the data lifecycle to protect sensitive information.
Infrastructure Security	Do TruthScan have data loss prevention controls that protect customer data?	Yes. TruthScan uses Data Leakage Prevention (DLP) tools to monitor and restrict data flow from potential endpoints to unauthorized systems. Additionally, data is encrypted both at rest and in transit using industry-standard encryption methods such as AES-256 and TLS. Regular backups are maintained to protect sensitive data from loss.
Data Privacy & Usage	Do your administrators have access to customer uploaded data?	Yes. Access to customer data is limited to authorized employees, contractors, and business partners with a specific need, following the principle of least privilege. Multi-factor authentication is required wherever possible.
Certifications & Compliance	For authentication data, please detail how credentials are stored, hashing or encryption methods, any salting and details of length, hash function etc.	Yes. Passwords are encrypted in transit and at rest using strong hashing algorithms. Multi-factor authentication is recommended. Passwords should be at least 12 characters long, with a combination of alphanumeric and special characters. Salting is applied to enhance security.
Data Storage & Location	Where is the service hosted?	Custom deployments in partner's location are possible if needed. The main production service is hosted on Cloudflare, Supabase, Vercel, Digital Ocean, Vultr, SambaNova, and Groq in various regions across the United States.
Infrastructure Security	Do you deploy separate instances for each user? How do you prevent customers from accessing each others data?	Yes. TruthScan uses a virtual and secure network environment, hosting the application inside a Virtual Private Cloud (VPC) with accompanying firewalls to ensure protection. Data is encrypted and secured over HTTPS to prevent unauthorized access between customers.
Logging & Monitoring	If yes, are logs kept of access to this information including reason for access?	Yes. Logs are kept of access to information, including the reason for access, as part of security-relevant logging activities. These logs are securely maintained to support investigations of incidents and are protected against tampering and unauthorized access.
Logging & Monitoring	Are logs of user access, changes, network, application, device generated, centralised, and reviewed?	Yes. Logs of user access, changes, network, application, and devices are generated and centralized. Monitoring and logging activities are configured to capture security-relevant logs and are reviewed to ensure compliance with legal and contractual requirements. Logs are securely maintained to support investigations of incidents.
Infrastructure Security	Is physical access to data processing equipment (e.g., server rooms, communications rooms, filing cabinets) restricted?	Yes. Physical access and security to the data center facility are restricted to authorized personnel. The responsibility for physical security is transferred to the infrastructure provider, ensuring the security, availability, and confidentiality of production systems and customer data.
Third-Party Management	Do contracts with TruthScan third parties (partner's 4th parties) contain Security and Privacy requirements?	Yes. Contracts with third parties include information security requirements to ensure compliance with TruthScan's security policies and procedures. Non-Disclosure / Confidentiality agreements are also signed by vendors, third parties, contractors, and subcontractors as applicable.
Third-Party Management	Are regular reviews performed on TruthScan's third-parties (Partner's 4th parties)?	Yes. TruthScan periodically reviews the quality of outsourced operations through methods such as reviewing subservice organizations' SOC reports and holding regular meetings to discuss performance.
Backup & Disaster Recovery	Are TruthScan systems backed up according to a regular schedule and checked for successful backup performed?	Yes. TruthScan systems have a daily backup schedule to protect sensitive data. Backups are restored at least annually to ensure data is readable and usable. Restoration tests are documented and performed by administrators along with the Information Security Officer.
Data Storage & Location	Does TruthScan store backups offsite? Please explain in Comments	Yes. Backups are stored at a redundant location outside the production environment to minimize risks. Procedures for offsite storage are considered to ensure data safety in case of emergencies or disasters.
Data Storage & Location	Does TruthScan replicate or store data in locations outside of Australia? If yes, please list all locations where partner's information will be stored.	Custom deployments are available to keep all data within Australia. For our main production systems data is stored in various regions across the United States, including infrastructure hosted on Cloudflare, Supabase, Vercel, Digital Ocean, Vultr, SambaNova, and Groq.
Infrastructure Security	Is TruthScan Network, Datacentre and Cloud Services providers boundaries protected by firewalls?	Yes. The internal networks of Cloudflare, Supabase, Vercel, Digital Ocean, Vultr, SambaNova, and Groq are protected by deny-by-default security groups and firewalls to ensure that only deliberately allowed traffic can pass through.
Infrastructure Security	What is the frequency of vulnerability scanning practices?	Vulnerability scanning tools are used to automatically scan systems on the network daily to identify potential vulnerabilities.
Infrastructure Security	Does TruthScan perform annual penetration testing of its systems?	Yes. TruthScan uses vulnerability scanning tools to automatically scan systems on the network daily to identify potential vulnerabilities. Additionally, an annual technical assessment and review are performed by a competent third-party along with the Engineering team to identify any potential vulnerabilities in the networks and other production systems.
Infrastructure Security	Are Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) used by TruthScan?	Yes. Network-based intrusion prevention/detection systems are deployed to cover critical network segments within IT infrastructure.
Personnel & Access Management	Are employees able to access partner's information from outside TruthScan offices/locations? How is this access secured?	By default employees can access information from outside TruthScan offices. But if needed, a custom deployment could further restrict this access. This access is secured using multi-factor authentication (MFA) and encrypted connections via VPN. Access is controlled by role-based security architecture, ensuring only authorized users can access necessary information. Additionally, all data is encrypted using TLS for data in transit and AES-256 for data at rest.
Backup & Disaster Recovery	Does the organisation have a disaster recovery plan? Which is tested on a regular basis?	Yes. The organization has a disaster recovery plan that is tested regularly through simulations and audits to ensure its effectiveness and alignment with compliance requirements.
Certifications & Compliance	If an information security breach involving partner's data occurred, would partner be notified of the breach?	Yes. In the case of a sensitive customer data breach, the Information Security Officer shall notify the competent authority without undue delay and, where feasible, no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Certifications & Compliance	Does the TruthScan have a formal Incident Response plan?	Yes. TruthScan has an incident management framework that includes defined processes, roles, communications, responsibilities, and procedures for detection, escalation, and response to incidents internally and to customers. Security incidents are escalated to privacy, legal, customer, or senior management team(s) and assigned a severity rating. Post-mortem activities are conducted for incidents with critical severity ratings.
Certifications & Compliance	Has TruthScan tested their incident response plan within the last 12 months?	Yes. TruthScan has tested their incident response plan quarterly as part of their regular business continuity and disaster recovery measures, which are reviewed and tested periodically.