At Trustpilot, we regard information security as an integral part of running an online review community.
Having adequate data security at all levels is important to us — regardless of whether we’re talking about data belonging to people who leave reviews on Trustpilot, consumers who use our platform, our customers and people we work with, or our own employees.
For all the details on our security practices, download our comprehensive security paper (version 2.7) under 'Attachments' at the end of this article, or see our Cloud Security Alliance questionnaire.
We comply with the European Union's General Data Protection Regulation (GDPR), which governs data protection and privacy for all individuals within the EU. Our GDPR-compliant data processing agreement describes how we process personal data on behalf of the businesses that use our review invitation services.
Cloud infrastructure security
Trustpilot is a cloud-first company. We have no in-house data centers and our corporate network infrastructure is virtual.
Amazon Web Services
Our infrastructure runs on data centers provided by Amazon Web Services (AWS) using EU availability zones, which are SOC2 and PCI DSS Level 1 certified, among others. AWS has a number of security- and privacy-focused features, which Trustpilot leverages.
Our servers run on stable, regularly patched versions of Amazon Windows with carefully configured security groups, isolated virtual private cloud (VPC) environments with well-defined network segmentation, role-based access control, and advanced web application firewall protection.
All our operating systems, databases, and applications have been hardened to reduce any vulnerabilities and maximize their security.
We also use Google Cloud Platform for some business requirements, where we also leverage cutting-edge tooling to alert us to any threats or vulnerabilities.
Trustpilot's server instances at AWS and Google Cloud are only accessible through a VPN. The physical security of our cloud infrastructure is handled by AWS and Google Cloud — you can request compliance reports directly through them.
Trustpilot.com maintains an A+ rating on Qualys SSL Labs for endpoints.
Trustpilot has a public Bug Bounty scheme where crowdsourced security researchers can find bugs and report them to us.
We also scan our website for vulnerabilities and fix them within timescales dependent on the severity of the finding.
We've designed our platform to follow microservices architecture design principles, so our services and their underlying backend are decoupled and stateless. This lets us automatically scale our platform based on demand.
Our backend infrastructure is created directly from code instruction, referred to as "infrastructure as code" (IaC). It is repeatedly replaced to ensure a consistent and stateless environment, or "immutable infrastructure".
Data to and from our cloud infrastructure is encrypted during transit, and data on our cloud infrastructure is encrypted at rest using the industry-standard AES-256 algorithm. Data stored on our cloud infrastructure is protected by firewalls and housed within multiple isolated VPCs.
To safeguard the traffic between our users and our platform, all web communication is 128-bit encrypted as a minimum. All our websites use Transport Layer Security 1.2 (TLS). Trustpilot only supports data sent via web submissions that use HTTPS.
To safeguard personal data, we send emails using TLS. If the receiving client doesn't support TLS, we use the next highest secure protocol supported by them.
At Trustpilot, we strive to ensure that our API authentication supports the strongest encryption standards possible to keep our customers safe. As a company, we support the following cipher suite:
We support TLS 1.2 as a minimum standard, however we will also accept connections over TLS 1.3.
Access to our public keys can be found here:
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
Trustpilot follows the model of "DevSecOps" where security is embedded in our DevOps processes and at the various stages of our software delivery lifecycle. This includes security in designing our code — where we look to eliminate vulnerabilities such as those in the OWASP Top 10 — through our continuous integration and delivery pipeline, our APIs, and automated testing.
In the unlikely event of a data incident, we have a dedicated Data Incident Response Team whose actions are guided by our Data Incident Policy and firm processes. The policy outlines how we should document, investigate, and report potential data incidents. In the case of an information security incident, we will contact companies whose personal data is affected. For more information, please download our white paper on Security Practices for Trustpilot Review Invitation Services in the attachments section below.
You can report any security concerns to us via email firstname.lastname@example.org.
Our security questionnaire
To help businesses understand our security practices, we've completed a Cloud Security Alliance questionnaire. You can download it here.