Trustfill · gettrustfill.com
Security
An honest overview of how we protect Trustfill customer data. Built for security and compliance buyers who need clarity before signup — not marketing theater.
Last updated: July 14, 2026
1. Summary
Trustfill is operated by TWT EXPERTS LLC at gettrustfill.com. We help teams draft cited answers to security questionnaires from an evidence vault. That means customers entrust us with sensitive security documentation — we take that seriously.
This page describes current practices for our SaaS product. It is not a SOC 2 report, ISO certificate, or penetration-test attestation. Ask hello@gettrustfill.com if you need a questionnaire filled about Trustfill itself.
2. Design principles
- Human in the loop — AI drafts; customers approve. Gaps without evidence are marked UNVERIFIED rather than inventing a confident “yes.”
- Least privilege — Workspace data is scoped in application logic to the authenticated workspace.
- Minimize card data — Payments go through Stripe; we do not store full payment card numbers.
- Encrypted in transit — Production traffic uses HTTPS/TLS.
3. What we store
- Account email and auth session material
- Workspace metadata and membership
- Uploaded evidence files / extracted text and questionnaire content
- Draft answers, citations, approvals, and export-related records
- Stripe customer / subscription identifiers and plan status
- Application logs needed to operate and debug the service
Details on collection and rights are in our Privacy Policy.
4. Infrastructure
- Application hosting — Deployed on Vercel (production: gettrustfill.com)
- Database — Postgres hosted on Supabase for production customer records (tables isolated with a Trustfill prefix)
- Payments — Stripe (merchant account: TWT EXPERTS LLC)
- AI drafting — Commercial LLM APIs (for example OpenAI) receive relevant evidence and question excerpts to return drafts
Subprocessors may change as we scale; material changes that affect data handling will be reflected in privacy/security docs or communicated to customers when appropriate.
5. Access control
- Users authenticate before accessing workspace features
- API routes that touch customer data require a valid session
- Operational access to production systems is limited to people who need it to run the product
- Customers control who they invite into a workspace; treat invites as privileged
6. AI and customer documents
Evidence and questionnaire text may be sent to LLM providers to generate drafts. We do not use your vault to train public models for unrelated third parties. You should only upload documents you are allowed to share with a SaaS vendor and its subprocessors.
Do not treat model output as audit-ready without review. See our Terms of Service.
7. Availability and backups
We aim for continuous availability but do not currently publish a formal SLA for MVP plans. Database backups and platform durability follow our hosting providers’ defaults; contact us if your procurement requires specific RPO/RTO commitments.
8. Incidents
If we become aware of a security incident affecting your personal data or Customer Content, we will investigate and notify affected customers as required by law and as reasonably practical given the circumstances.
To report a vulnerability or suspected incident: hello@gettrustfill.com with subject line “Security”.
9. Shared responsibility
- Use strong email account security; magic links inherit your inbox security
- Invite only trusted teammates to workspaces
- Review drafts before export or buyer submission
- Remove stale evidence and deactivate users who leave your company
10. What we are building toward
As Trustfill grows, we expect to deepen formal controls (for example expanded audit logging, tighter upload storage posture, and customer-facing security questionnaires about Trustfill). This page will be updated as those land. We will not claim certifications we have not earned.
11. Contact
TWT EXPERTS LLC (Trustfill)
Security / privacy: hello@gettrustfill.com
Web: https://gettrustfill.com