TRi-Lo Solutions

Security & Trust

Every promise on this page can be independently verified in 30 seconds. Public audits, automated tests, and transparent documentation — because trust is earned by evidence, not adjectives.

A+ Mozilla Observatory · 125 / 100 A+ SSL Labs · Exceptional HSTS Preload eligible GDPR compliant

Independent public audits

We rely on independent third-party scanners that anyone can re-run, free of charge, at any time.

A+
Mozilla Observatory
Score 125 / 100 · 10 / 10 tests passed
Strict Content Security Policy, HSTS preload, Cross-Origin isolation, and all standard security headers. Score above 100 reflects security beyond the standard requirements.
Verify on Mozilla →
A+
SSL Labs (Qualys)
Exceptional · 2 endpoints · 0 warnings
TLS 1.3, modern cipher suites only, perfect forward secrecy, OCSP stapling. The "Exceptional" qualifier is the highest classification SSL Labs awards.
Verify on SSL Labs →
HSTS Preload
Pending inclusion in Chrome / Firefox / Safari
Submitted to the browser preload list. Once propagated, browsers will refuse any HTTP connection to trilosolutions.com on the first visit, eliminating SSL stripping attacks.
Check status →

Continuously verified controls

Each control runs on every code change. A failure blocks deployment.

  • 19 Firestore security rules tests — multi-tenant isolation, role-based access, audit log immutability
  • 22 end-to-end Playwright tests — real user journeys including authentication and write paths
  • 353 unit tests — business logic coverage
  • TypeScript strict mode — entire class of runtime errors eliminated at compile time
  • ESLint static analysis — code quality enforced
  • Daily data integrity audit — 8 coherence zones scanned across all organizations
  • Daily encrypted backups — Firestore export, 60-day retention, AES-256
  • CI scheduled re-run — catches infrastructure drift independently of code changes
  • Subresource Integrity (SRI) — every external script hash-verified
  • Sentry error monitoring — EU region, real-time alerting

Compliance roadmap

In place
GDPR
Compliant. Data processing register, DPA template, all data subject rights supported.
Q3 2026
Cyber Essentials
UK government cybersecurity baseline certification. Application in preparation.
Q1 2027
ISO 27001
Roadmap defined. Continuous evidence collection via internal automation platform.
Q3 2027
SOC 2 Type II
Follow-on after ISO 27001. Continuous controls already in place.

Sub-processors

All sub-processors hold mature, independently-certified security practices.

ProviderPurposeCertifications
Google Cloud / FirebaseAuthentication, database, storage, functionsISO 27001/17/18, SOC 2 Type II, SOC 3
NetlifyHosting, CDN, TLS, serverless functionsSOC 2 Type II
Sentry (EU)Error monitoringSOC 2 Type II
Let's EncryptTLS certificatesISRG operator SOC 2 audited
GitHubSource code hostingSOC 1 Type II, SOC 2 Type II, ISO 27001

Download our security documentation

Security Whitepaper available publicly. CAIQ Lite questionnaire, DPA template, sub-processor list, and architecture diagrams available on request — responses within 24 hours.

📄 Security Whitepaper (PDF) 📊 Request CAIQ Lite 📧 Other docs

Report a security issue

We welcome responsible disclosure of security vulnerabilities. Email Mail@tri-lo.com with details — we acknowledge all reports within 48 hours.

Please do not publicly disclose a vulnerability until we have had a reasonable opportunity to investigate and remediate. We do not currently operate a paid bug bounty program but we will publicly credit security researchers (if they wish) once any reported vulnerability has been fixed.