Security is foundational to every decision we make.
We take security seriously. Every decision in creating Trustworthy begins with the safety and privacy of your data in mind.Download PDF
Trustworthy is designed to protect you from breaches and other threats. Our team works diligently to keep your information safe at all times and we work with other security experts and auditors to make sure our code and business practices meet or exceed industry standards.
Above all we firmly believe that you are the sole owner and arbiter of your information. We won’t share it or sell it without your permission.
Trustworthy requires you to create and validate your identity before creating your account and adding any information. We ask for an email username, a strong password, and two-factor authentication to validate that you are who you say you are.
From the beginning of your Trustworthy experience, you are the arbiter of your account and information. Know that only you — and the trusted people you invite to your account — have access to your information.
We require a highly secure password formula for all users. That entails a minimum of 8 characters with numbers, symbols, and upper- and lower-case characters. We recommend creating a password of 14 characters or more.
Increasing the number of characters and interspersing numbers and symbols dramatically enhances security. A more complex and lengthy password makes it cryptic enough that it would take an attacker decades to crack.
Trustworthy requires two-factor authentication as a default — not an option — to verify your identity and allow you to log in to your account.
Our platform supports multiple different factors, including:
Hardware security keys
As a Trustworthy member, multi-factor authentication is non-negotiable. You can choose to add additional layers of security depending on your personal security preferences.
Two-factor authentication is an extra layer of security for Trustworthy accounts. This design ensures that you’re the only one who can access your account, even if someone else knows your password.
Recent research suggests that your account is 99.9% less likely to be compromised if you use two-factor authentication. In fact, many technology companies are moving towards two-factor authentication as the default.
Trustworthy provides hardware security keys (also known as a security token) that allows you to add a second authentication factor to online services.
To use a hardware security key, you must be physically present to authenticate and log in to your account. Hardware security keys are one of the best ways to avoid phishing and account takeovers.
Please email email@example.com to request a Trustworthy hardware security key.
Trustworthy uses biometric (facial or fingerprint) authentication on our iOS mobile app.
Biometric authentication allows for a convenient and fast user experience, while also providing a high level of security that's difficult to fake or steal. Because biometrics can only be provided by living, breathing people, it's also harder for robots to impersonate or breach.
Your Trustworthy data is encrypted to keep it safe, both at rest and in transit. Our security formula starts with Advanced Encryption Standard (AES) 256-bit encryption. We also use multiple techniques to make sure only you have access to your information.
Trustworthy encrypts all customers’ sensitive data to prevent unauthorized access, ensuring that your data stays secure.
Our user interface redacts or hides sensitive information by default. To display this information, you can choose to show it to see the redacted information.
Redaction prevents wandering eyes from seeing sensitive information on your screen.
Trustworthy uses an industry-leading security technique called “aliasing” to protect your information. Aliasing removes sensitive data from Trustworthy servers and replaces it with a corresponding alias. This keeps the sensitive information protected and separate from your account.
The alias (token) has no exploitable meaning and can only be “de-tokenized” with the original tokenization platform. For example, if a cybercriminal gained unauthorized access to our database containing tokenized sensitive data, the alias would be useless to the attacker and neutralize the threat.
Trustworthy creates comprehensive audit logs of the events (by individual users) within each member account. This allows you to account for every change that has occurred within your account (and who made that change).
Having a complete record of events in your account provides transparency around all account changes.
Our security policies, controls, and standards cover a wide range of areas to include:
Software/systems development life cycle
These policies ensure that your and your family’s information is kept safe every step of the way.
Compliance & Certifications
We continually improve our compliance practices to meet or exceed industry standards and audits.
Trustworthy is AICPA SOC2 type one certified and has undergone a SOC2 type one examination, resulting in an independent CPA’s report and certification. A SOC 2 type one report assures you that Trustworthy has established and continues to follow strict information security policies and procedures, and provides independent, third-party verification that Trustworthy operations meet or exceed defined levels of processes and controls for the security of customer data.
Trustworthy is compliant under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This means we manage the privacy and security of your information in accordance with the extremely formal and rigorous requirements of HIPAA, a compliance framework designed to protect sensitive personal and health information, especially any information held electronically. Not only do we hold ourselves to this high standard, we ensure that any third parties through which your information is transmitted are liable for protecting the privacy and security of your information to the same extent as Trustworthy.
PCI DSS Level 4
Trustworthy has been certified as Payment Card Industry Data Security Standard (PCI DSS) Level 4 compliant. This means we have completed a Self-Assessment Questionnaire (SAQ) and had an Approved Scanning Vendor (ASV) conduct quarterly network scans.
McAfee TrustedSite Certified Secure
Trustworthy is certified as a McAfee TrustedSite. This means that our online presence has passed McAfee’s rigorous tests for malware, viruses, and phishing and is regularly monitored by McAfee for security issues.
Norton Secured by Verisign
We are a Norton approved secure site. This means that Trustworthy is using a Verisign SSL (Secure Sockets Layer) certificate to keep your connection to Trustworthy secure at all times. It also means that Trustworthy sites are receiving a vulnerability scan on a daily basis. If Norton reports an issue, the seal no longer displays.
Trustworthy is a Better Business Bureau (BBB) accredited business. This means that Trustworthy meets the BBB’s accreditation standards, including a commitment to make a good faith effort to resolve any consumer complaints.
We perform regular application and infrastructure security vulnerability and penetration testing. Trustworthy uses internal security staff and third-party security researchers/specialists to proactively identify vulnerabilities and complete remediation in a timely manner. To responsibly disclose or report a security vulnerability to Trustworthy, please contact firstname.lastname@example.org.
Trustworthy works with a variety of security providers to enhance our own security architecture. We only work with providers who have the best security in every respect. As part of our security certifications, these partners have been vetted for their own compliance of the highest levels of security and privacy for the customers they serve.
Member data may be stored in the Trustworthy private virtual cloud (such as Amazon Web Services), which we built to run business operations. These partners don’t have the keys to decrypt member data stored on their servers.
Trustworthy revenue comes from subscribers — not advertisers. We believe that when you don’t pay for the product, you are the product. The Trustworthy business is underpinned by three core tenets: Private, Protected, & Yours.
Private - We will never share or sell your family information.
Protected - Your family information is protected at all times by leading edge security measures including 256-bit encryption, biometrics, and hardware security keys.
Yours - You are the arbiter of your data and can elect to remove it from our service at any time.
All Trustworthy employees undergo rigorous background and security checks before being hired.
The Trustworthy IT Security Team manages employee company applications and devices. This allows us to remove access to business applications and remotely freeze or wipe devices as needed.
Questions or Concerns?
If you have any questions or concerns, please get in touch with us at: email@example.com
If you're a security researcher and you believe you've uncovered a security issue in our products, please email us at firstname.lastname@example.org with the necessary information to reproduce the issue.
Security is built into everything Trustworthy does. This isn’t a platitude. It’s a foundational part of our team culture.