Security Commitment

1. Our commitment to your security

TrueSpeak is built and maintained with a strict, continuous security baseline. We run automated security audits every month and act on the findings — so that the platform protecting your whistleblowers' reports is itself protected. This page is our public record of that commitment.

2. The four pillars of our security

3. What we cover

Our audit process systematically verifies the following risk categories:

• Authentication, session management and password handling
• Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)
• SQL injection and other injection vectors
• Insecure deserialization and unsafe object instantiation
• Sensitive data exposure and secret leakage
• Server-Side Request Forgery (SSRF) and external resource abuse
• Security headers and transport layer hardening (HTTPS, HSTS, CSP)
• Third-party dependency vulnerabilities (CVE database cross-check)
• Cryptographic configuration and key management
• File upload handling and path traversal

4. Audit cadence

We run a full SAST + DAST security audit every month, automatically. This is our public timeline:

Audit timeline

• May 26, 2026 Most recent Completed

5. What happens when we find an issue

1. Triage. Every finding is classified by impact and exploitability using industry-standard severity scoring.
2. Prioritisation. Critical issues are handled immediately; high-severity findings within the current sprint; medium and below on the next planned release.
3. Remediation. Fixes are applied at the source — either updating an affected dependency, hardening configuration, or refactoring code.
4. Verification. The next monthly scan confirms the issue is closed and tracks it in the audit history.