Yes, whenever we have user consent, we store the data. The reason we store the data is so a user can seamlessly unlock their data the next time they need to validate their income, employment status, or other information.
We are SOC 2 Type II compliant and use Vanta (a software that helps automate and simplify data monitoring and compliance) to keep an eye on and track all of our controls.
- On top of the standard practices, we use an additional layer of encryption in all of our systems for sensitive data and only allow access on a need-to-know basis.
- We have strict procedures in place for who can gain access or be approved for access, and we log everything along the way. We can see who has access to what data and when, who approved the request, and what the outcome was. Except in exceptional cases where access is truly required, no one can access data.
- Data access is granted for 24 hours at a time and is revoked automatically.
Truv offers customer retention policies for enterprise clients where data can be deleted automatically. Clients are able to specify the amount of time they want us to store data for them or can request deletion of data via an API.
You can read more about Truv's security and privacy practices.