Security Policies
An overview of Tray's security practices and data handling procedures.
Keeping your data secure
Tray is designed with security at its core. We are SOC 1 Type 2, SOC 2 Type 2 and HIPAA certified, with a dedicated security team who continuously review and improve our security practices. Reports and other security documentation are available at trust.tray.ai.
See also:
- Security Statement — our technical and organizational measures, as referenced in our Data Processing Agreement
- Data Protection Commitment — how we meet the requirements of data protection laws such as GDPR and CCPA
Vulnerability Disclosure Program
If you identify a potential vulnerability in our platform, please report it through our HackerOne program.
For urgent security-related queries, contact security@tray.ai.
Data Protection
See our Data Protection Commitment for details on how we meet the requirements of GDPR, CCPA and other data protection regulations, including Tray's regionality options.
Hosting
Tray operates in three segregated AWS regions:
- US (AWS-West) — default
- EU (AWS-Ireland)
- APAC (AWS-Sydney)
Tray runs primarily on Amazon EKS (Elastic Kubernetes Service) for scalability and resilience. High availability is configured across multiple availability zones where possible. Snapshots are performed daily and retained for 14 days.
For details on AWS infrastructure security, see the AWS security page.
Security Measures
- Support access — you control when we have access to your data through Support Access controls.
- User authentication — 2FA is mandatory for all user accounts. See Profile & Login for more details.
- Encryption in transit — all data sent to Tray is encrypted. Our endpoints are TLS/SSL only and score an "A" rating on SSL Labs' tests.
- Encryption at rest — all stored data is encrypted, with an additional layer of encryption for sensitive data like workflow authentications. See Authenticating Connectors for more details.
- Account passwords — stored using bcrypt hashing with salts. Deleted when the account is deleted.
- Audit logging — we maintain comprehensive audit logs across our infrastructure and application, capturing user and system actions. Customers can stream application logs externally — see Streaming logs to external systems.
- Monitoring — engineers and security are on call 24/7. We monitor performance metrics across our services to detect and resolve degradation before it impacts customers, not just outages.
- Internal access controls — SSO with phishing-resistant 2FA on all systems with access to customer data, strict least privilege policies, and a managed password manager where passwords are necessary.
- Rapid deployment — automated systems enable us to deploy changes in minutes, allowing us to roll out security fixes quickly.
- Log redaction — sensitive authentication data is redacted from workflow logs.
- Incident response — documented incident response plans are in place.
- AI data handling — Merlin AI features are designed with data privacy in mind. See How does Merlin AI use my data? for details on what data is processed and how.
- Analytics — we analyze how the platform is being used to improve our services. We never analyze workflow execution data or other sensitive data.
Data Storage and Retention
Tray-controlled retention
Workflow execution logs are retained for 7 or 30 days depending on your package, configurable down to 24 hours or disabled entirely. When disabled, logs are still retained internally for 24 hours for redundancy purposes. Backups are retained for 14 days.
See Debug logs for more details on workflow execution data, and Technical limits, timeouts and retries for log retention and Data Storage connector limits.
Customer-controlled retention
The following data is stored until deleted by the customer:
- Workflow configurations
- Authentications
- Connectors with data storage capabilities
Customer-controlled assets such as user accounts, workflows and authentications can be deleted via the UI or the Tray API.
Organization deletion
All data is deleted 90 days after contract termination, or earlier on request.
Sub-processors
We use third-party vendors (sub-processors) to help operate the Tray platform. Our current list of sub-processors is available at tray.ai/sub-processors.
Account Owners are notified when sub-processor changes are made, or you can subscribe to updates on that page.
Payment Details
Tray does not store payment information. All payments are processed via invoice or through Stripe. For more information, see Stripe's security page.