Security & Trust

Enterprise-grade security, by default

Trayo is built for enterprise GTM teams that hold customer data, revenue intelligence, and CRM access to a high bar. Here is exactly how we protect it.

SOC 2 Certified

Compliance

SOC 2 Type II

Trayo is SOC 2 Type II compliant. Our controls covering security, availability, and confidentiality are independently audited on a recurring basis. Customers and prospects under NDA can request our latest report, penetration test summary, and security questionnaire.

Request our security package Request our security package

Controls

How we protect your data

Defense-in-depth across identity, data, application, and infrastructure layers. Every control listed below is live in production today.

Authentication & access

Every user, every session, verified — with enterprise identity controls built in.

SSO via SAML

Single sign-on through your identity provider (Okta, Azure AD, Google Workspace, and others) via WorkOS. Tenant-scoped organization mapping.

Two-factor authentication

TOTP-based 2FA with any standard authenticator app (Google Authenticator, Authy, 1Password). Available to every user.

Org-enforced 2FA

Admins can require 2FA across their organization. Once enforced, individual users cannot disable it.

Role-based access control

Granular permissions per tenant. Admins, members, and custom roles control who can view, edit, and configure.

Short-lived JWT sessions

Access tokens are short-lived and rotated via refresh tokens. Sessions can be revoked centrally.

Strong password hashing

Passwords are stored using bcrypt with a per-user salt. We never store or transmit passwords in plaintext.

Application security

Defense-in-depth across the API surface, agent runtime, and integration boundary.

Sandboxed agent runtime

AI agents run in isolated Daytona microVMs with no outbound access to other tenants. Agent SQL is read-only with table allowlists, statement timeouts, and row caps.

Parameterized queries

All database access goes through Prisma with parameterized queries — no string-concatenated SQL on customer data paths.

Rate limiting

API and internal endpoints are throttled to prevent abuse, accidental loops, and credential-stuffing attempts.

Signed webhooks

Outgoing webhooks are signed with per-workflow secrets. Recipients can verify authenticity before acting on a payload.

Constant-time secret comparison

Service tokens and webhook signatures are compared in constant time to prevent timing attacks.

Audit logging

Authentication events, permission changes, and admin actions are recorded for review and forensic investigation.

Infrastructure & operations

Built on Google Cloud with environment isolation, automated backups, and continuous monitoring.

  • Google Cloud Platform

    Trayo runs on GCP — Cloud Run, Cloud SQL (Postgres), and Cloud Storage — leveraging Google's physical, network, and platform security controls.

  • Environment separation

    Production, staging, and development run in separate GCP projects with independent databases, secrets, and access controls.

  • Least-privilege service accounts

    Internal services authenticate via narrowly scoped service accounts. No long-lived production credentials live on engineer laptops.

  • Automated backups

    Databases are backed up continuously with point-in-time recovery. Backup integrity is verified on a recurring schedule.

  • Continuous monitoring

    Application logs, error tracking, and uptime metrics are collected centrally with on-call alerting for production incidents.

  • Vulnerability management

    Dependencies are scanned automatically and patched on a defined SLA. Critical CVEs are fast-tracked outside the regular release cadence.

Privacy & data

Customer data is yours. It is encrypted in transit and at rest, isolated per tenant, and processed only to deliver the service.

  • Per-tenant data isolation

    Every record — accounts, people, events, signals — is scoped to a `tenant_id`. Queries are tenant-bound at the application and database layer.

  • Encryption in transit and at rest

    All traffic uses TLS 1.2+. Databases, object storage, and backups are encrypted at rest with Google Cloud–managed keys (AES-256).

  • Customer-owned data

    You own the account lists, signals, and outputs in your workspace. You can export or delete them at any time.

  • No training on your data

    Customer data is never used to train foundation models or shared across tenants. AI runs against your data on your behalf.

  • Public-data only

    Trayo monitors publicly available business signals — news, filings, job posts, public profiles. We do not scrape gated systems or private inboxes.

  • Sub-processor transparency

    We maintain a current list of sub-processors (cloud, AI, data, email infrastructure) and notify customers in advance of material changes.

  • GDPR & CCPA aligned

    We support data subject requests (access, deletion, portability) and offer a Data Processing Addendum on request.

  • Retention & recoverable deletion

    Records are soft-deleted with `deleted_at` timestamps so accidental removals can be recovered, then hard-deleted on a fixed retention schedule.

Responsible disclosure

Found a vulnerability? We work with security researchers in good faith. Email team@trayo.ai with details and a proof of concept. We will acknowledge within one business day and keep you updated through resolution.

Email team@trayo.ai Email team@trayo.ai

See what Trayo surfaces for your company in 30 minutes

Book a Demo Book a Demo

Try Trayo

Drop in your work email, we'll spin up your account and email you when it's ready.