Questions about our security policies and credentials?

View Security Profile
Email Support

We take security and privacy seriously

Trove is fully committed to protecting the privacy of all customers as well as candidates and employees of these customers. We know you are trusting us with your data, and we take that responsibility very seriously.

Questions about our security policies and credentials?

View Security Profile
Email Support

Summary

  • 100% of our employees complete security training
  • 100% of our employees undergo mandatory background checks
  • Physical security keys are required for login to internal and external services

Service Level Terms

The Services shall be available 99.5%, measured monthly, excluding holidays and weekends and scheduled maintenance.  If Customer requests maintenance during these hours, any uptime or downtime calculation will exclude periods affected by such maintenance.  Further, any downtime resulting from outages of third party connections or utilities or other reasons beyond Company’s control will also be excluded from any such calculation. Customer's sole and exclusive remedy, and Company's entire liability, in connection with Service availability shall be that for each period of downtime lasting longer than one hour, Company will credit Customer 5% of Service fees for each period of 30 or more consecutive minutes of downtime; provided that no more than one such credit will accrue per day.  Downtime shall begin to accrue as soon as Customer (with notice to Company) recognizes that downtime is taking place, and continues until the availability of the Services is restored. In order to receive downtime credit, Customer must notify Company in writing within 24 hours from the time of downtime, and failure to provide such notice will forfeit the right to receive downtime credit. Such credits may not be redeemed for cash and shall not be cumulative beyond a total of credits for one (1) week of Service Fees in anyone (1) calendar month in any event. Company will only apply a credit to the month in which the incident occurred. Company’s blocking of data communications or other Service in accordance with its policies shall not be deemed to be a failure of Company to provide adequate service levels under this Agreement.

Support Terms

Company will provide Technical Support to Customer via both telephone and electronic mail on weekdays during the hours of 9:00 am through 5:00 pm Pacific time, with the exclusion of Federal Holidays (“SupportHours”).

Customer may initiate a help desk ticket during Support Hours by calling 610-945-6533 or any time by emailing info@trytrove.co. After-hours support will be provided via email.

Company will use commercially reasonable efforts to respond to all Helpdesk tickets within one (1) business day.

Information Security Policy

Information Trove Collects
  • In general, Trove's policies are oriented towards US-based customers.
  • Information you give us from your API access from ATS (e.g. Lever), HRIS (e.g. BambooHR), and other systems you explicitly grant Trove access to including Confluence/Atlassian. Note that Trove does not explicitly collect any specific information from users in the Trove product.
  • Information we get from your use of our Services.We may collect information about the Services that you use and how you use them, like when you visit our website, this information includes: 1) Device Information – we may collection device specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number). We may associate your device identifiers with your account. 2) Log information – when you use our Services or view content that we provide, we may automatically collect and store certain information in server logs. This may include details of how you used our Services, such as Internet protocol address, and device event information such as crashes or other system activity.  
  • Cookies. In order to improve our Service and provide a more relevant experience to our users, we may collect information using "cookies." Cookies are small data files stored on your hard drive by a website. We may use cookies to see which areas and features are popular and to count visits to our Service. Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove and/or reject cookies. If we use cookies and you choose to remove or reject them, this could affect certain features of our Service.
  • Third Party Cookies. We may also allow third parties, such as Google, to use cookies on our Service. Such third party cookies are used to help recognize your log-in status and permit you to access third party features enabled through our Service and to evaluate and compile aggregated statistics about activity on our Service. You can usually choose to set your browser to remove and/or reject these cookies, but note that doing so could affect certain features of our Service.
Sharing of Personal Information

Trove does not share your personal information with third parties other than as follows:

  • When you give us your explicit consent to do so, including if we notify you through the Service that the information you provide will be shared in a particular manner and you provide such information.
  • Customers of Trove's real-time benchmarking portal agree to allow Trove to anonymize the customer's data and provide it to other Trove customers in a manner that is fully aggregated and cannot be associated with a given company or individual at a company.
  • With third party vendors, consultants and service providers who perform functions on our behalf, but we limit their use of the information as is reasonably necessary to carry out their work.  
  • When we believe in good faith that we are lawfully authorized or required to do so or that doing so is reasonably necessary or appropriate to comply with laws or respond to lawful requests, legal process or legal authorities.  
  • When we believe in good faith that doing so is reasonably necessary or appropriate to protect our rights, property or safety or that of our employees, agents, users or others, including to enforce our agreements and policies or to enforce our Terms of Use including investigation of potential violations of our Terms of Use.  
  • In extraordinary circumstances, such as to respond to an emergency or for reasons of national security, an urgent matter of public or individual safety or other issues of dire importance.  
  • In connection with, or during negotiations of, a merger, consolidation, sale of our corporate assets or equity, financing, acquisition, corporate reorganization, strategic alliance or in any other similar situation where personal information may be transferred as one of our business assets.  
Third Party Links

The Service may contain links to other websites at which personal information is collected. This Policy does not apply to linked sites and we are not responsible for the content or privacy and security practices of those sites. Any personal information you provide to a linked site is provided directly to a third party and is subject to such third party's privacy policy. We encourage you to learn more about such third parties' privacy and security practices and policies before providing them with any personal information.

Access to Customer Data

Trove limits its personnel’s access to Customer Data as follows:

  • Requires unique user access authorization through secure logins and passwords that include the following password guidelines: 1) Users select their own passwords, to strictly avoid ever storing a password in plain text 2) Password requirements prevent weak passwords from being selected, both through dictionary exclusions (e.g. weak password blacklist) and complexity requirements 3) Password requirements enforce a minimum length of at least 8 characters 4) Passwords have a long maximum length of 64 characters 5) The authentication mechanism rate limit to mitigate the risk for any brute force attacks. If requested, we will happily provide the source code to verify these constraints.    
  • Limits the Customer Data available to Trove personnel on a “least privilege” principle;  
  • Restricts access to Trove’s production environment by Trove personnel on the basis of business need; and  
  • Encrypts user security credentials for production access including login information. Read more here to learn how Trove’s chosen authentication method uses an internally modified version of scrypt to hash account passwords.  
Data Encryption
  • Note that 100% of all customer data is stored entirely within Google Cloud infrastructure.
  • Trove implements End-to-End Transport Layer Security (TLS) across the platform. To learn more about Google Cloud’s end-to-end encryption standards, read this page. Cloud Firestore automatically encrypts all data before it is written to disk.
Data Management
  • Trove creates an audit trail for each login for every single user (i.e., a record of employee login attempts onto the Trove platform).
  • If the Customer requests this audit trail at any time, Trove will happily give this information to the Customer.
  • Trove logically separates each of its customers’ data and maintains measures designed to prevent Customer Data from being exposed to or accessed by other customers.
Network Security, Physical Security and Environmental Controls
  • Trove uses a variety of techniques designed to detect and/or prevent unauthorized access to systems processing Customer Data, including industry-standard firewalls. You can learn more about Trove’s chosen firewall at https://www.sophos.com/en-us.aspx.  
  • Trove monitors privileged access to applications that process Customer Data, including cloud services. For every single request of Customer Data, Trove keeps an audit trail. Trove will happily share this audit trail with The Customer if requested.
  • The Service operates 100% on Google Cloud and is protected by Google’s security and environmental controls.  Detailed information about Google Cloud security is available at https://cloud.google.com/security. For Google Cloud SOC2 Reports, please see this page.
  • Customer Data stored within Google Cloud is encrypted at all times. Google does not have access to unencrypted Customer Data at any time.
Independent Security Assessments

Trove periodically assesses the security of its systems and the Service as follows:

  • Annual detailed security and vulnerability assessments of the Service conducted by independent third-party security experts that include a thorough code analysis and a comprehensive security audit.  
  • Bi-annual penetration testing of Trove systems and applications to test for exploits including, but not limited to, XSS, SQL injection, access controls, and CSRF.  
  • Daily vulnerability scanning through https://cloud.google.com/security-scanner  
  • Code Review of any new code added to the Service.    
Incident Response

If Trove becomes aware of unauthorized access or disclosure of Customer Data under its control (a “Breach”), Trove will:

  • Take reasonable measures to mitigate the harmful effects of the Breach and prevent further unauthorized access or disclosure.  
  • Upon confirmation of the Breach, notify Customer in writing of the Breach without undue delay.  Notwithstanding the foregoing, Trove is not required to make such notice to the extent prohibited by Laws, and Trove may delay such notice as requested by law enforcement and/or in light of Trove’s legitimate needs to investigate or remediate the matter before providing notice. 1) The extent to which Customer Data has been, or        is reasonably believed to have been, used, accessed, acquired or disclosed during the Breach; 2) A description of what happened, including the date of the Breach and the date of discovery of the Breach, if known; 3) The scope of the Breach, to the extent known; and 4) A description of Trove’s response to the Breach, including steps Trove has taken to mitigate the harm caused by the Breach.      
Personnel Management
  • Trove provides training for its personnel who are involved in the processing of the Customer Data to ensure they do not collect, process or use Customer Data without authorization and that they keep Customer Data confidential, including following the termination of any role involving the Customer Data.  
  • Trove conducts routine and random monitoring of employee systems activity.  
  • Upon employee termination, whether voluntary or involuntary, Trove immediately disables all access to critical and noncritical systems, including Trove’s physical facilities.
Changes to Trove’s Information Security Policy

As the need arises, Trove may change its Policy at any time. We will provide notice of changes to our Policy by indicating on the Policy the date it was last updated and making the updated Policy available through our website. Your use of the Service or Software following the posting of the updated Policy constitutes your consent to all changes. We encourage you to review this Policy whenever you access or use our Service or Software to make sure you understand how personal information we collect may be used or disclosed.

Contacting Us

If you have any questions or comments about this Policy or our practices relating to the Service or Software, or if you believe we have not complied with this Policy, please contact us at info@trytrove.co.

De-Identified and Aggregated Data Policy

De-identification of data

Records from the Customer’s data systems including ATS (e.g. Lever), HRIS (e.g. BambooHR), and others (such as Confluence) are completely de-identified from the individual before being stored on Trove servers. In order for an individual to access their personal and confidential information through their Trove portal, Trove must make an API request to Customer’s systems to ensure that no confidential information can ever be associated with an individual if Trove’s servers were ever breached.

Sale of Data

Trove strictly does not sell any Customer Data to another customer. If this changes in the future, Trove will require explicit approval of a Policy update from the Customer, and that Customer’s data will be de-identified before being sold to any other company.

Responsible Disclosure Policy

Data security is a top priority for Trove, and Trove believes that working with skilled security researchers can identify weaknesses in any technology. If you believe you’ve found a security vulnerability in Trove’s service, please notify us; we will work with you to resolve the issue promptly.

Disclosure Policy
  • If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at compliance@trytrove.co. We will acknowledge your email within 24 hours.
  • Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within one week of disclosure.
  • Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Trove service. Please only interact with accounts you own or for which you have explicit permission from the account holder.
Exclusions

While researching, we’d like you to refrain from:

  • Distributed Denial of Service (DDoS)
  • Spamming
  • Social engineering or phishing of Trove employees or contractors
  • Any attacks against Trove’s physical property or data centers

Thank you for helping to keep Trove and our users safe!

Changes

We may revise these guidelines from time to time. The most current version of the guidelines will be available at https://www.trytrove.co/security-and-policies.

Contact

We may revise these guidelines from time to time. The most current version of the guidelines will be available at https://www.trytrove.co/security-and-policies.