Trust Library Spec / Trust Library

Security Statement

TrueStele treats tenant isolation and evidence handling as core infrastructure concerns, not feature checkboxes.

Tenant Storage Cryptographic Boundaries Screenshot

Logical diagram illustrating isolated database instances, encrypted vaults, and stateless OAuth API paths.

Product Interface Spec
Operational Assessment

Casual evidence sharing is a major security liability.

Data protection audit infrastructure requires strict boundary isolation, zero-knowledge storage options, and timestamped revisions.

When a DPCO's client sends their ROPA, vendor contracts, and breach logs over WhatsApp, the DPCO becomes the weak link in their own client's compliance chain. TrueStele closes that gap.

Tenant-scoped access patterns and isolated storage paths.

Short-lived access for evidence retrieval.

Privacy Vault option for firms that need client documents to remain in their cloud.

System Security Spec

Data isolation, transit pipelines, and custodian boundaries

TrueStele is engineered specifically to secure professional compliance firms against the liabilities of accidental cross-tenant data leaks and unencrypted file handling.

1. Strict Tenant-Level Database Isolation

TrueStele utilizes a logically isolated multi-tenant architecture. Every client audit engagement operates in its own dedicated workspace schema. Database rows, evidence indexes, and progress metadata remain permanently partitioned at the database layer. This boundary is enforced systematically, ensuring that under no circumstances can an analyst or client session access records belonging to another engagement.

2. Stateless Evidence Collection Pipeline

To eliminate the storage risks associated with traditional GRC filesystems, TrueStele implements a stateless transit architecture. Documents submitted through secure client portals flow directly from the client's browser to target, tenant-scoped AWS S3 storage containers. No raw document attachments or PII data records are cached or permanently stored on TrueStele's central application servers.

3. OneDrive & Google Drive Local Residency (Privacy Vault)

For consulting firms demanding complete ownership of the file custody chain, our Privacy Vault add-on preserves OneDrive or Google Drive as the sole source of custody. TrueStele serves strictly as a stateless mapping layer—retrieving document views temporarily during active auditor reviews using short-lived OAuth credentials and storing only SHA-256 integrity checksums.

4. Hourly Backups & Tamper-Evident Logs

Workspace databases are continuously backed up using hourly point-in-time multi-zone snapshots. System access logs, document additions, control review status overrides, and final partner sign-offs are written into locked, tamper-evident audit trails. This guarantees your firm can produce an unalterable, authoritative compliance log for regulator CAR audits.

Onboarding Hotspot

Book a region-specific walkthrough.

Schedule a region-specific walk. Our team will demonstrate how TrueStele maps evidence requests, regulatory requirements, and filing reports to your active client portfolios.