Your Data Security is Our Top Priority
We understand that user research data is among your most sensitive business assets — potentially containing unreleased product information, competitive analysis, user pain points, and strategic market insights. Data security is not just a technical requirement, but our core business commitment.
Client Data Ownership
Client data is 100% owned by the client. Trooly acts solely as a Data Processor and does not claim any ownership, usage rights, or intellectual property rights over client data. Clients are the Data Controller.
Least Privilege & Data Minimization
All personnel and systems are granted only the minimum permissions necessary. Internal staff cannot directly access production databases — operations require pre-approved scripts. Client business data fields are invisible to operations personnel.
End-to-End Encryption & Defense in Depth
Data is encrypted with AES-256 at every stage — in transit (TLS 1.3), at rest, and during processing. Defense-in-depth architecture spans network boundary, application security, data security, and infrastructure layers.
Auditable & Traceable
All data access and operations maintain complete audit logs with millisecond precision, stored in an independent audit platform that neither business nor operations teams can modify. Logs retained for at least 180 days.
Data De-identification & Intent Protection
Any client data that could reveal research intent is never used to train, fine-tune, or improve any AI model. Identifiers are removed before any external LLM API call, and data is fragmented so no single request contains complete project context.
Continuous Improvement
Our security framework is continuously iterated, with regular reviews and updates to security policies, technical measures, and compliance status. Quarterly access audits and periodic penetration testing ensure ongoing effectiveness.
Data Lifecycle Security
4-Tier Data Classification
From public configuration (L1) to top-secret PII (L4), each tier has dedicated encryption, access controls, and audit requirements. Sensitive data receives field-level encryption and the strictest access controls.
Storage Isolation
Different data types are stored in physically separated systems — recordings in encrypted object storage (AWS S3), structured data in encrypted databases (AWS RDS) — connected only through secure internal APIs.
Cryptographic Data Deletion
Data deletion uses crypto-shredding — permanently destroying encryption keys to make data mathematically unrecoverable. Completed within 7 business days with a formal deletion confirmation letter.
AI Security & Reliability
Full Traceability to Source
All AI outputs are traceable to original interview recordings. The platform strictly distinguishes raw user data from AI-generated content, with clear provenance markers on every AI output.
Zero Data Retention with LLMs
Third-party LLMs (OpenAI, Anthropic, Google Gemini) operate under zero data retention — inputs and outputs are deleted immediately after processing. All providers hold SOC 2 Type II certification.
Data Fragmentation & Stateless Processing
Research data is split into minimal de-identified fragments. Each API call is completely independent and stateless — the model cannot correlate information across different calls.
Compliance Roadmap
Trooly operates its security framework according to these standards ahead of formal certification.
Our Service Commitments
For security inquiries, contact customer_service@trooly.ai