Security & Privacy Whitepaper

How Trutina protects sensitive loan application data. Designed for CISOs, procurement teams, and compliance officers at regulated financial institutions.

Executive Summary

Trutina processes sensitive loan application documents to detect fraud. This document outlines our security architecture, data handling practices, and privacy commitments. We are designed for regulated financial institutions subject to APRA and Privacy Act 1988 requirements.

Architecture Overview

Frontend: Hosted on Vercel (SOC 2 Type II, ISO 27001)
Backend: Hosted on dedicated VPS in Sydney, Australia (data sovereignty)
AI Engine: Anthropic Claude Sonnet (SOC 2 Type II compliant)
Database: PostgreSQL with encryption at rest (AES-256)
Jurisdiction: All data stays within Australian jurisdiction

Data Processing

Documents are uploaded via HTTPS (TLS 1.3)
Stored temporarily during analysis (~60 seconds active processing)
Text extracted from PDFs using PyMuPDF (local processing, no third-party OCR)
Document text sent to Anthropic Claude API for AI content analysis only
Raw PDF files are NOT sent to Claude — only extracted text

Anthropic AI — No Training Guarantee

Critical for regulated customers:

Anthropic's API Terms of Service explicitly state: “We do not train our models on your inputs or outputs”
Anthropic is SOC 2 Type II certified
Data sent to Claude API is processed and discarded — not stored, not used for training
Trutina uses the Anthropic API (not consumer Claude) — business-grade data handling
Source: anthropic.com/policies/privacy

Data Retention

Data Type	Retention Period	Notes
Raw PDF files	90 days	Configurable per customer. Auto-deleted after period.
Extracted text	90 days	Stored encrypted. Used for audit trail.
Risk scores & flags	7 years	APRA record-keeping requirement (CPS 220)
Audit events	7 years	Immutable audit log for compliance
Broker profiles	Indefinite	Aggregated data, no PII

Enterprise customers can configure custom retention periods.

Encryption

In transit: TLS 1.3 for all API communication
At rest: AES-256 for database (PostgreSQL). Documents stored on encrypted filesystem.
API keys: Hashed with bcrypt. Never stored in plaintext.
Secrets management: Environment variables injected at deployment. No hardcoded credentials.

Authentication & Access Control

API access: Per-customer API keys with rate limiting
Dashboard: Password-based authentication with httpOnly secure cookies
Future: SSO/SAML integration for Enterprise customers
RBAC: Role-based access control planned for multi-user accounts

Network Security

Backend runs on dedicated infrastructure (not shared hosting)
Firewall: Only ports 443 (HTTPS) and 22 (SSH management) exposed
DDoS protection: Via Vercel's edge network (frontend)
Rate limiting on all API endpoints
IP allowlisting: Available for Enterprise customers

Incident Response

Automated monitoring with alerting
Security incidents communicated within 24 hours
Post-incident review and report provided to affected customers
Contact: security@trutina.com.au

Third-Party Dependencies

Service	Purpose	Compliance
Anthropic (Claude API)	AI content analysis	SOC 2 Type II, no training on inputs
Vercel	Frontend hosting	SOC 2 Type II, ISO 27001
ABN Lookup API	ABN verification	Australian Government API (public)
RBA BSB Directory	BSB validation	Public data (updated monthly)

Privacy Act 1988 Compliance

Trutina processes personal information (names, financial data) as a service provider
Data Processing Agreement available for all customers
We collect only what's necessary for fraud detection
No data sold to third parties
Individuals can request data deletion (right to erasure)
Australian Privacy Principles (APPs) 1–13 addressed in full DPA

Penetration Testing

Annual third-party penetration testing (report available under NDA)
Continuous automated vulnerability scanning
Dependency monitoring for known CVEs

Contact

Security Inquiries

security@trutina.com.au

Privacy Officer

privacy@trutina.com.au

General

hello@trutina.com.au

Last updated: March 2026