How we protect your data.

Hosting Provider

All client websites and tools are deployed on Cloudflare Workers and Cloudflare Pages — a globally distributed edge network with SOC 2 Type II, ISO 27001, and PCI DSS Level 1 certifications. Data is served from the nearest edge location to the end user.

Encryption

All data is encrypted in transit via TLS 1.3. Data at rest is encrypted using AES-256 where applicable. All client sites are served over HTTPS with automatic certificate management.

Source Code & Access Control

Source code is stored in private GitHub repositories with branch protection rules. Deployment is automated via CI/CD pipelines. Access is limited to the Truvaldi engineering team with MFA enforced on all accounts.

AI Processing

AI features use Cloudflare Workers AI (running on Cloudflare's infrastructure) and, for select features, third-party models from Anthropic (Claude) and OpenAI. AI inputs are processed in real-time and are not used to train models. We do not store conversation logs beyond the active session unless explicitly configured for the client.

Data Retention

By default, user interactions with AI chatbots and tools are not persisted server-side. Lead capture data (name, email, phone, assessment results) is stored only in the client's designated CRM or inbox. Truvaldi does not maintain a separate database of end-user PII unless required by the client's workflow.

Subprocessors

The following third-party services may process data as part of Truvaldi-built systems:

• Cloudflare — Hosting, edge compute, AI inference, DNS, CDN
• Anthropic — AI model inference (Claude) for chatbots and content generation
• OpenAI — AI model inference for select tool features
• GitHub — Source code hosting and CI/CD
• Google Fonts — Typography delivery (no PII collected)

Client-specific integrations (CRM, EHR, billing, email) are disclosed per engagement.

Healthcare (HIPAA)

Truvaldi does not store, transmit, or process Protected Health Information (PHI) by default. AI chatbots and tools are designed to collect general inquiry information — not clinical data. For clients requiring HIPAA-compliant workflows, we architect solutions using HIPAA-eligible infrastructure and can execute a Business Associate Agreement (BAA) on a per-engagement basis. Contact us to discuss your specific requirements.

Financial Services & Insurance

AI tools built for financial services and insurance clients are informational and educational — they do not provide financial advice, insurance quotes, or binding recommendations. Calculators and assessments are designed to qualify and educate prospects, not to replace licensed professional guidance. All tools include appropriate disclaimers.

Legal

AI tools built for legal clients do not provide legal advice. They are designed for lead qualification, intake automation, and educational content. Attorney-client privilege considerations are addressed per engagement.

Team Qualifications

Security is considered at every stage of design and development — from input validation and output sanitization to access control and data flow architecture.

Responsible AI

All AI-generated content and recommendations include appropriate context. Chatbots are trained with guardrails to prevent hallucination of facts about client services, pricing, or policies. AI outputs are constrained to the client's verified knowledge base.