Security at Trustpilot

We know that when you use our platform, you trust us to keep your information secure. We take this responsibility seriously.

We’re committed to safeguarding our platform and protecting personal data belonging to our customers, reviewers and consumers.

Compliance

SOC 2

Trustpilot has achieved a SOC 2 Type I attestation report for security. The SOC 2 Type I is available to customers and prospective customers on request.

The Type I report is an important milestone as part of our roadmap towards SOC 2 Type II compliance. Achievement of SOC 2 Type II attestation is a key priority for Trustpilot and is endorsed and supported by our Executive Team and Board.

GDPR

We comply with the European Union's General Data Protection Regulation (GDPR), which governs data protection and privacy for all individuals within the EU. Our GDPR-compliant Data Processing Agreement describes how we process personal data on behalf of the businesses that use our review invitation services.

CSA STAR Level 1

CSA STAR Level 1.png

CSA STAR Level 1 is a self-assessment using the Consensus Assessments Initiative Questionnaire (CAIQ) to document compliance with the Cloud Controls Matrix (CCM). This information is publicly available, promoting industry transparency and providing customer visibility into specific provider security practices. STAR Self-Assessments are updated annually.

Trustpilot’s completed CAIQ questionnaire can be found on Trustpilot’s CSA STAR Registry Listing.

Trustpilot Security White Paper

Our Security White Paper outlines an overview of our system design and architecture, our information security organisation and our information security framework.

The White Paper is publicly available on our website to help customers understand our security practices.

Cloud Infrastructure

The Trustpilot platform and data is hosted in Amazon Web Services and Google Cloud Services data centres located in the European Union. 

Both Amazon Web Services and Google Cloud Services are SOC 2, ISO 27001 and PCI DSS compliant. We review these vendors on a periodic basis to monitor their security compliance.

We don’t use any other data centre facilities and we don’t host data ourselves.

A list of our subprocessors can be found at https://legal.trustpilot.com/for-businesses/subprocessors.

Security Team

Trustpilot has a dedicated Security team, headed by the Chief Information Security Officer (CISO).

The Security Team is composed of teams responsible for:

  • Security Operations
  • Application and Cloud Security (Platform Security)
  • Governance, Risk and Compliance

As required by the GDPR, we have appointed a Data Protection Officer (DPO) to oversee our data privacy and protection measures.

Security Measures

Data security

Data to and from our cloud infrastructure is encrypted during transit, and data on our cloud infrastructure is encrypted at rest using the industry-standard AES-256 algorithm. Data stored on our cloud infrastructure is protected by firewalls and housed within multiple isolated VPCs.

To safeguard the traffic between our users and our platform, all web communication is 128-bit encrypted as a minimum. All our websites use Transport Layer Security 1.2 (TLS). Trustpilot only supports data sent via web submissions that use HTTPS.

To safeguard personal data, we send emails using TLS. If the receiving client doesn't support TLS, we use the next highest secure protocol supported by them.

Application security

Trustpilot follows a DevSecOps model where security is embedded in our DevOps processes and at the various stages of our software delivery lifecycle. 

This includes security in designing our code — where we look to eliminate vulnerabilities such as those in the OWASP Top 10 — through our continuous integration and delivery pipeline, our APIs, and automated testing.

Trustpilot has a Secure Software Development Lifecycle Policy that defines the requirements for managing changes in a secure way. The Policy outlines requirements for planning, initiation, development, quality assurance, implementation and release of changes. 

Vulnerability Management

Platform Security Team performs vulnerability scans to detect vulnerabilities in the Trustpilot codebase. These scans are conducted regularly to identify and remediate potential vulnerabilities.

Trustpilot engages in a private bug bounty programme and penetration testing is performed at least annually by a qualified provider.

Identified vulnerabilities are documented and tracked to resolution in line with the timelines in the Vulnerability Management Policy.

API security

At Trustpilot, we strive to ensure that our API authentication supports the strongest encryption standards possible to keep our customers safe. As a company, we support the following cipher suite:

TLS_AES_128_GCM_SHA256 

TLS_AES_256_GCM_SHA384 

TLS_CHACHA20_POLY1305_SHA256

ECDHE-ECDSA-AES128-GCM-SHA256     

ECDHE-ECDSA-AES128-SHA256      

ECDHE-ECDSA-AES128-SHA       

ECDHE-ECDSA-AES256-GCM-SHA384     

ECDHE-ECDSA-CHACHA20-POLY1305    

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES128-GCM-SHA256    

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES256-GCM-SHA384     

ECDHE-RSA-CHACHA20-POLY1305    

ECDHE-RSA-AES256-SHA384

AES128-GCM-SHA256     

AES256-GCM-SHA384  

AES128-SHA256     

We support TLS 1.2 as a minimum standard, however we will also accept connections over TLS 1.3.

Access to our public keys can be found here:

Staging:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoZvOUdnnyvegDRSg2lQW
S9qpvI36K5xSfqaxICI0yoIimpZi1O9yBRJnfDni4uA1ztlVuFLE6S/RDNXZU56J
clIy2rWsR+RidjhcY4BApWu25vPFsm0Earxaa8Q0fr0rvcEzA1xGG627BIi3i7jv
XZRD1BorTigNxN1LBe+fmcI6uAy384D0gBac2CgN7VBmYQ/a0CxoUIc9Z1VzNDWX
wuQkldlM3B3Ugu1v+LRwDp5L8s7mLrpd9LlmikK2W7G6kAzf5tQgWh3fTF7ZSCNd
ngk6+PaPAg++ccPUlxxf5mPlGRMG35vBBBAVSocfXaI/DiVmvQm9O2nPUQSS2NSp
8wIDAQAB
-----END PUBLIC KEY-----
Production:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu86OXXXvm0zKeDZmuD8i
PgIcuKORZuCe8r8QjWEiBLcu14IxPtiE8qL1xQ0lvSiyNIQMgOwmyswIaTJWqoX3
WJALsWdFn3af61UgiR/CM18jXow1Hcq84Ahlf3/vAxqRGuhA0xHlCN4WDnIQjjZG
/QIwSfwiF2lqX9Nw7lrLeFjLjh4gwV3IM1h7ImAUaw4qoka0r9Jd7WiOcUFbtCqO
etTx7U9cRsX89Wl3hNC6uQNwYWE/ZKEO9M13uca1Quyk4BLMIHS89Yf2dJ7USCN5
VlOU0c83rebodC5BEHjLuAKUQMZjRWAQ5wzKi6d0Q4F4PIOBu8KPQSCsnR4WMU9b
XQIDAQAB
-----END PUBLIC KEY-----

Incident response

In the unlikely event of a data incident, we have a dedicated Data Incident Response Team whose actions are guided by our Data Incident Policy and firm processes. 

The policy outlines how we should document, investigate, and report potential data incidents. In the case of an information security incident, we will contact companies whose personal data is affected without undue delay.

Reporting a security concern

You can report any security concerns to us via email at report@trustpilot.com

Our Speaking Up platform is also available to report security concerns and includes the ability to report anonymously. We take these concerns seriously and handle them promptly.

Attachments

Was this article helpful?

Related articles