Trestle is a trusted name in the identity verification space, and we take that trust seriously. We are basing our first information security program on ISO 27001:2005. We take a risk-based approach to information security, which is to say a practical one: we protect systems and data according to their sensitivity and exposure to threats.


What are your risk management practices?

Trestle employs a risk-based information security program: we protect systems and data according to their sensitivity and exposure to threats. Our baseline risk assessments occur annually across both corporate and service environments. They include policy and procedure reviews, control design and functionality review, technical configuration analysis, network and web application penetration testing, and interviews with team members. All risks are documented with their associated vulnerabilities, controls, and recommendations for risk reduction.

These risk assessments feed into an enterprise-wide risk register which is maintained continuously. As new risks are identified, they’re formally documented and addressed. This whole process is overseen by our Information Security Officer and executive leadership.

How are access controls determined and maintained?

Trestle employs role-based access controls based on need-to-know and least privilege. Each team member is assigned a primary role at hire, or transfer, which determines their access to systems and applications. Each role is formally defined, as its access. In order to gain access outside an individual’s role, an access request ticket must be submitted, approved, and provisioned.

Access control reviews are performed quarterly as part of internal audits conducted by our Information Security Officer.

How do you respond to incidents?

Trestle has established a formal Incident Management Program that covers security, privacy, and availability incidents. For each type of incident, there are reporting, response, and retrospective requirements and supporting materials. Customer notifications are a formally documented aspect of each incident type.

Do you have a Security Incident and Event Management system?

Yes, Trestle employs an appropriate incident and event management system.

How is remote access to your service environment handled?

Trestle employs MFA to access all corporate assets including internal documents, email systems, and code base. An IAM policy enforces MFA for our GCP and AWS console, and alerting is configured should it be disabled.

Do your applications have periodic third-party penetration tests?

Yes, Trestle employs a Qualified Security Assessor company to perform penetration tests annually against our API applications and external networks. The latest report is available to prospective and existing customers upon request.

 What encryption standards are used for communication with your services?

All Trestle, and most other Trestle properties, use HTTP Strict Transport Security, which forces all connections to use HTTPS. We currently only support TLS 1.2.

What do you do to mitigate DDoS attacks?

Trestle service environment is hosted in AWS and Google across multiple availability zones. Necessary DDoS protection services are deployed for protection purposes. 

Is secure software development and OWASP Top 10 training required for your developers?

Yes. Every software developer takes secure software development training annually. This includes taking courses on securing AWS database offerings.

What physical security controls are implemented for your service environments?

Trestle employs AWS for its service infrastructure at the physical layer, and we review AWS SOC 2 Type 2 reports twice annually as part of our risk management program.