Trillo Security and Compliance on Google Cloud

Introduction

Shift in Customer Focus: Trillo customers are increasingly prioritizing security alongside cost-effectiveness. We recognize this need and have made security a core focus in delivering our solutions.
Google's Security Foundation: By building on Google Cloud Platform (GCP), we leverage Google's rigorous security standards and infrastructure.
Our Commitment: Security is deeply embedded in our company culture, development processes, and cloud operations. This document outlines our approach to protecting your data within the GCP environment.
Compliance Note: For details on GCP compliance certifications, please visit [link to relevant Google Cloud compliance page].

Security Culture

Dedicated Teams: Trillo maintains dedicated security and privacy teams. They proactively guide the design and execution of our security practices throughout our applications and operations.

Operational Security

Vulnerability Management: We employ multiple tools and processes (commercial, custom-built, penetration testing) to continuously scan for vulnerabilities. Identified issues are prioritized and assigned for rapid remediation.
Monitoring: We utilize GCP monitoring tools with a focus on application activity, user actions, and external threat intelligence to track potential security concerns.
Incident Management: We follow Google Cloud incident management procedures, providing clear escalation paths and a 24/7 response team to ensure swift resolution of security events.

Organizational Policies

We recommend implementing the following Organization Policies for enhanced control:

Skip default network creation: Enforces custom networking design for security.
Define allowed external IPs for VM instances: Limits exposure.
Domain restricted sharing constraint: Controls data sharing practices.

Network Security

Best Practices: Trillo adheres to GCP network security guidelines including Shared VPC, secure hybrid connectivity, and well-defined ingress/egress controls for your workloads.

Security Command Center

Centralized Visibility: We utilize Security Command Center to monitor cloud assets, detect threats, and manage access rights – safeguarding your sensitive data.

Access Management

Customer Data Ownership: We unequivocally affirm that your data is yours. Trillo does not access or use it for purposes beyond providing our services.
Administrative Access: Trillo strictly limits internal access to customer data on a need-to-know basis, adhering to the principle of least privilege.
Customer Admin Control: Your team maintains full control over administrative roles and permissions within your GCP environment.

Identity Management

Best Practices: We assist in mapping your existing identity provider to Google Cloud Identity services for seamless integration.
Principle of Least Privilege: Trillo champions this approach to minimize risk and grant only necessary access levels to users.
[Guidance]: Provide step-wise guidance or link to resources on utilizing RBAC and Google Groups for efficient access management

Encryption

Data in Transit: Trillo uses strong encryption protocols (TLS) across connections and offers optional Cloud VPN for added transport-level security.
Data at Rest: We leverage GCP's built-in encryption and augment it with Trillo's custom encryption for sensitive user data.

Availability

High Redundancy: Trillo's architecture prioritizes redundancy across servers, storage, networking, and software to minimize single points of failure.
Resilience: We design for graceful error handling and real-time incident notifications for rapid response and minimal downtime.

Regulatory Compliance

Meeting Your Needs: Trillo understands your compliance requirements. We rely on GCP's robust compliance certifications, [link to relevant Google Cloud compliance page].

Contact Us

For any further questions about Trillo's security practices on Google Cloud, please reach out to info@trillo.io