TRUST

Trust Center

trust.tucdesk.app - transparent security, compliance, and operational documentation for enterprise buyers

Boundary model
TB-001 / TB-002 / TB-003
Relay posture
Zero-knowledge ciphertext routing
Privacy model
GDPR-first data minimization
Trust

Trust Boundary Diagram

Where trust is verified and where it stops.

Untrusted Zone

  • Public Internet - any network. Assumed hostile. TLS 1.3 minimum on all external traffic.
  • Client browsers - not trusted. JWT validated on every request. CORS explicit.
  • NAT/firewall environments - assumed symmetric or blocking. TURN relay fallback required.

Verified Zone

TB-001
  • API server - validates JWT, RBAC, ABAC on every request. mTLS to internal services.
  • Rendezvous - validates agent registration with HTTPS and certificate pinning. No session data processed.
  • TURN relay - zero-knowledge. Routes ciphertext only. Cannot decrypt.

Trusted Zone

TB-002
  • Internal services - mTLS mesh only. No plaintext internal traffic.
  • Postgres + Redis - mTLS connections. Append-only audit constraints.
  • Vault - dynamic secrets. No long-lived credentials issued to agents.

Cryptographic Zone

TB-003
  • E2E session tunnel - AES-256-GCM. Even trusted-zone services cannot decrypt.
  • HSM root key - hardware-isolated. Access requires hardware token + biometric + 2-person rule.
  • Audit chain - hash-chained + signed. Any mutation detectable, attributable.
Trust Center Content Map

trust.tucdesk.app

Security, compliance, data, reliability, access, legal, and questionnaire documentation.

/security/*

  • /encryption - Crypto stack, key management details
  • /audit-trail - Chain mechanics, tamper evidence, verification
  • /trust-boundaries - TB-001, TB-002, TB-003 diagrams
  • /architecture - System architecture overview

/compliance/*

  • /soc2 - Status, report request form (NDA)
  • /iso27001 - Certificate + scope
  • /gdpr - EU compliance, DPA template, DSARs
  • /hipaa - BAA process
  • /ccpa - California privacy
  • /caiq - Pre-filled CAIQ v4 download

/data/*

  • /residency - Region data location
  • /retention - Retention schedules
  • /processors - Live subprocessor list
  • /lifecycle - Data classification + handling

/reliability/*

  • /status - status.tucdesk.app embed
  • /sla - SLA tiers + history
  • /incident-response - Process + reporting
  • /business-continuity - BCP overview

/access/*

  • /sso - SSO setup, supported IdPs
  • /mfa - MFA options, hardware keys
  • /scim - SCIM provisioning details
  • /privileged-access - PAM, break-glass, 2-person rule

/legal/* + Questionnaires

  • /privacy - Privacy policy
  • /terms - Terms of service
  • CAIQ v4, VSAQ, SIG - downloadable (NDA gated)
  • Pen test results - NDA gated
  • SOC 2 report - NDA gated
Privacy

Privacy & Data Governance

Data minimization by design - relay sees only ciphertext, no IP logging, right-to-erasure, GDPR-first architecture.

Data Classification Tiers

Public

  • Marketing copy
  • Public documentation
  • Status page data
  • Open source code

Internal

  • Agent IDs
  • Session metadata
  • Usage metrics
  • Internal runbooks

Confidential

  • User email addresses
  • Session recordings
  • Support tickets
  • Billing information

Restricted

  • Identity private keys
  • Master passwords
  • Audit signatures
  • HSM root keys

Data Flow & Minimization Principles

Minimization by Design

  • Relay server: zero IP logging (SEC-006 - no IP column in DB schema)
  • Session content: E2E encrypted - TucDesk cannot decrypt
  • Relay sees only ciphertext - zero-knowledge relay
  • Agent IDs: cryptographically derived - not sequential, not personal
  • Only billing-required metadata retained

Multi-Tenant Isolation

  • Every DB query carries team_id filter (middleware-enforced)
  • Cross-tenant access returns 404 - not 403 (prevent existence leaks)
  • Tenant data never co-mingled
  • Separate encryption keys per tenant (Enterprise: BYOK)

GDPR Data Subject Rights - Endpoints & Process

RightArticleImplementationSLA
AccessArt. 15JSON export of all personal data30 days
RectificationArt. 16Self-service editing; admin-assisted for immutable fields30 days
ErasureArt. 17Right-to-erasure endpoint; personal data deleted, audit records pseudonymized30 days
PortabilityArt. 20JSON export of session history + account data30 days
RestrictionArt. 18Account suspension without deletion on request72 hours
ObjectionArt. 21Opt-out of marketing processing; data minimization enforcementImmediate

Subprocessor Management

Subprocessor Disclosure

  • Published list: trust.tucdesk.app/data/processors
  • 30-day notice before adding new subprocessor
  • Right-to-object documented for Enterprise customers
  • Migration path if customer objects
  • Annual review per vendor

Breach Notification Timeline

  • GDPR: supervisory authority within 72 hours of discovery
  • HIPAA: affected individuals + HHS within 60 days
  • Customer notification: material incidents within 24 hours
  • Process: detect -> triage -> contain -> notify -> remediate -> post-mortem