Security at Trustpilot

At Trustpilot, we regard information security as an integral part of running an online review community.

Having adequate data security at all levels is important to us — regardless of whether we’re talking about data belonging to people who leave reviews on Trustpilot, consumers who use our platform, our customers and people we work with, or our own employees.

For all the details on our security practices, download our comprehensive security paper (version 2.7) under 'Attachments' at the end of this article, or see our Cloud Security Alliance questionnaire.

GDPR

We comply with the European Union's General Data Protection Regulation (GDPR), which governs data protection and privacy for all individuals within the EU. Our GDPR-compliant data processing agreement describes how we process personal data on behalf of the businesses that use our review invitation services.

Cloud infrastructure security

Trustpilot is a cloud-first company. We have no in-house data centers and our corporate network infrastructure is virtual.

Amazon Web Services

Our infrastructure runs on data centers provided by Amazon Web Services (AWS) using EU availability zones, which are SOC2 and PCI DSS Level 1 certified, among others. AWS has a number of security- and privacy-focused features, which Trustpilot leverages.

Our servers are in Amazon Web Services Data Centers and we have a mix of Microsoft and Linux operating systems. There are carefully configured security groups, isolated virtual private cloud (VPC) environments with well-defined network segmentation, role-based access control, and advanced web application firewall protection.

All our operating systems, databases, and applications have been hardened to reduce any vulnerabilities and maximize their security.

Google Cloud

We also use Google Cloud Platform for some business requirements, where we also leverage cutting-edge tooling to alert us to any threats or vulnerabilities.

Reports

Trustpilot's server instances at AWS and Google Cloud are only accessible through a VPN. The physical security of our cloud infrastructure is handled by AWS and Google Cloud — you can request compliance reports directly through them.

Trustpilot.com maintains an A+ rating on Qualys SSL Labs for endpoints.

Vulnerability management

Trustpilot has a public Bug Bounty scheme where crowdsourced security researchers can find bugs and report them to us.

We also scan our website for vulnerabilities and fix them within timescales dependent on the severity of the finding.

Architectural design

We've designed our platform to follow microservices architecture design principles, so our services and their underlying backend are decoupled and stateless. This lets us automatically scale our platform based on demand.

Our backend infrastructure is created directly from code instruction, referred to as "infrastructure as code" (IaC). It is repeatedly replaced to ensure a consistent and stateless environment, or "immutable infrastructure".

Data security

Data to and from our cloud infrastructure is encrypted during transit, and data on our cloud infrastructure is encrypted at rest using the industry-standard AES-256 algorithm. Data stored on our cloud infrastructure is protected by firewalls and housed within multiple isolated VPCs.

To safeguard the traffic between our users and our platform, all web communication is 128-bit encrypted as a minimum. All our websites use Transport Layer Security 1.2 (TLS). Trustpilot only supports data sent via web submissions that use HTTPS.

To safeguard personal data, we send emails using TLS. If the receiving client doesn't support TLS, we use the next highest secure protocol supported by them.

API security

At Trustpilot, we strive to ensure that our API authentication supports the strongest encryption standards possible to keep our customers safe.  As a company, we support the following cipher suite:

TLS_AES_128_GCM_SHA256 

TLS_AES_256_GCM_SHA384 

TLS_CHACHA20_POLY1305_SHA256

ECDHE-ECDSA-AES128-GCM-SHA256     

ECDHE-ECDSA-AES128-SHA256      

ECDHE-ECDSA-AES128-SHA       

ECDHE-ECDSA-AES256-GCM-SHA384     

ECDHE-ECDSA-CHACHA20-POLY1305    

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES128-GCM-SHA256    

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES256-GCM-SHA384     

ECDHE-RSA-CHACHA20-POLY1305    

ECDHE-RSA-AES256-SHA384

AES128-GCM-SHA256     

AES256-GCM-SHA384  

AES128-SHA256     

We support TLS 1.2 as a minimum standard, however we will also accept connections over TLS 1.3.

Access to our public keys can be found here:

Staging:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoZvOUdnnyvegDRSg2lQW
S9qpvI36K5xSfqaxICI0yoIimpZi1O9yBRJnfDni4uA1ztlVuFLE6S/RDNXZU56J
clIy2rWsR+RidjhcY4BApWu25vPFsm0Earxaa8Q0fr0rvcEzA1xGG627BIi3i7jv
XZRD1BorTigNxN1LBe+fmcI6uAy384D0gBac2CgN7VBmYQ/a0CxoUIc9Z1VzNDWX
wuQkldlM3B3Ugu1v+LRwDp5L8s7mLrpd9LlmikK2W7G6kAzf5tQgWh3fTF7ZSCNd
ngk6+PaPAg++ccPUlxxf5mPlGRMG35vBBBAVSocfXaI/DiVmvQm9O2nPUQSS2NSp
8wIDAQAB
-----END PUBLIC KEY-----
Production:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu86OXXXvm0zKeDZmuD8i
PgIcuKORZuCe8r8QjWEiBLcu14IxPtiE8qL1xQ0lvSiyNIQMgOwmyswIaTJWqoX3
WJALsWdFn3af61UgiR/CM18jXow1Hcq84Ahlf3/vAxqRGuhA0xHlCN4WDnIQjjZG
/QIwSfwiF2lqX9Nw7lrLeFjLjh4gwV3IM1h7ImAUaw4qoka0r9Jd7WiOcUFbtCqO
etTx7U9cRsX89Wl3hNC6uQNwYWE/ZKEO9M13uca1Quyk4BLMIHS89Yf2dJ7USCN5
VlOU0c83rebodC5BEHjLuAKUQMZjRWAQ5wzKi6d0Q4F4PIOBu8KPQSCsnR4WMU9b
XQIDAQAB
-----END PUBLIC KEY-----

Application security

Trustpilot follows the model of "DevSecOps" where security is embedded in our DevOps processes and at the various stages of our software delivery lifecycle. This includes security in designing our code — where we look to eliminate vulnerabilities such as those in the OWASP Top 10 — through our continuous integration and delivery pipeline, our APIs, and automated testing.

Incident response

In the unlikely event of a data incident, we have a dedicated Data Incident Response Team whose actions are guided by our Data Incident Policy and firm processes. The policy outlines how we should document, investigate, and report potential data incidents. In the case of an information security incident, we will contact companies whose personal data is affected. For more information, please download our white paper on Security Practices for Trustpilot Review Invitation Services in the attachments section below.

You can report any security concerns to us via email report@trustpilot.com.

Our security questionnaire

To help businesses understand our security practices, we've completed a Cloud Security Alliance questionnaire. You can download it here.

Up next The GDPR and data protection requirements for businesses

 

 

 

 

Attachments

Was this article helpful?

Related articles