Trust Center

How we keep your
data safe.

Trendnaut is built on the assumption that the data we hold is the most sensitive data your business owns. Customers, deals, contracts, invoices, communications. All of it. Here is exactly how we protect it.

For DPA, sub-processor list, or pen-test reports under NDA, write to security@trendnautlabs.in.

Compliance posture

SOC 2 Type II

In progress

Audit kickoff scheduled. Controls aligned to ~75%.

India DPDP Act 2023

Aligned

Mumbai data residency. Consent + erasure rollout in flight.

GDPR (EU)

In progress

Frankfurt residency planned. DPA available on request.

OWASP Top 10 / CWE Top 25

Aligned

Continuous audit. Latest pass: 82% control coverage.

ISO 27001

Planned

Targeted for late 2026 after SOC 2 attestation.

What we do, in plain English

Data residency

Customer data is held in the region nearest the customer's primary location. India accounts → Mumbai. EU accounts → Frankfurt (rolling out).

Encryption at rest

AES-256 via Supabase managed PostgreSQL. Sensitive fields (PAN, GSTIN, bank details) on application-layer envelope encryption (rolling out).

Encryption in transit

TLS 1.3 enforced. HSTS preload-eligible. Strict-Transport-Security: max-age=63072000; includeSubDomains; preload.

Access control

RLS at the database layer. Org-membership checks at every server action. Service-role keys never reach the client bundle.

Audit logs

Every mutation logged with actor, action, resource, IP, and user agent. Retained ≥365 days for SOC 2 alignment.

Incident response

Breach-response runbook with 72-hour notification target (DPDP §8(6) / GDPR Art.33). On-call rotation for Sev-0/1.

Vulnerability management

Continuous dependency scanning via dependabot. Annual third-party penetration test. Public responsible-disclosure program.

Backup & recovery

Point-in-time recovery via Supabase managed backups. RPO ≤ 1 hour, RTO ≤ 4 hours. Tested quarterly.

Sub-processors

We rely on the providers below to deliver the platform. Each is bound by a data-processing agreement aligned with GDPR Art.28 and DPDP §11. Customers will be notified at least 30 days before any new sub-processor is added.

Provider	Purpose	Region
Supabase	Database + auth + object storage	Mumbai, India
Vercel	Hosting + edge runtime + CDN	Global edge
Anthropic	Claude API for AI features (paid tiers only)	United States
Postmark	Transactional email	United States
Stripe	International payments	United States / Ireland
Razorpay	India payments (UPI, NEFT, IMPS, GST invoicing)	Mumbai, India
Cloudflare	DNS + DDoS protection	Global edge

Get in touch

Security disclosures

security@trendnautlabs.in

24-hour acknowledgement SLA

Privacy & DSAR

privacy@trendnautlabs.in

30-day response per GDPR Art.15

System status

View status page →

Live uptime + incident history

← Back to Trendnaut · Last updated 5 June 2026 · Public roadmap →

How we keep yourdata safe.