Security

Documentation Index

Fetch the complete documentation index at: https://trunk-4cab4936-mintlify-migrate-docs-changes-1778007735.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

​

What data we access

​

Merge Queue

• GitHub repository metadata: Repository structure, branch information, and pull request data necessary for merge operations
• Pull request details: PR titles, descriptions, commit information, and test results to determine merge eligibility
• CI/CD status checks: Results from your CI jobs to validate code before merging
• GitHub webhook events: Real-time notifications about PR updates and CI status changes

• We do not clone or store your entire codebase
• Your source code remains in your GitHub repository

​

Flaky Tests

• Test results: Test reports in standard formats (JUnit XML, XCResult, Bazel BEP JSON, RSpec JSON) containing:
  • Test names and identifiers
  • Pass/fail status
  • Test execution time and duration
  • Error messages and stack traces from failed tests
  • Test suite organization and hierarchy
• CI job metadata: Job names, build IDs, branch names, commit SHAs, and timestamps
• Build statistics: CI job timing data, test count, and historical performance metrics
• Repository information: Repository name and organization details

• Test results are uploaded from your CI environment after tests complete
• Uploads use your organization-specific API token for authentication
• All data is transmitted over encrypted connections (TLS)
• You control which CI jobs upload results and when

• Full source code or proprietary business logic
• Sensitive environment variables or secrets
• Customer data processed by your applications
• Test execution logs beyond standard test framework outputs

​

How we protect your data

​

Infrastructure Security

• Hosting: All services are hosted on Amazon Web Services (AWS) in physically secure, U.S.-based data centers with 24/7 on-site security and access monitoring
• Encryption in transit: All data transmitted to and from Trunk uses TLS (Transport Layer Security) and HSTS
• Encryption at rest: All customer data is encrypted using AES-256
• Network isolation: Production services run in isolated AWS VPCs with restricted access; all services are within private subnets with no internet access and use a network gateway to permit specific traffic

​

Access Controls

• Authentication: Multi-factor authentication (MFA) required for access to sensitive systems and applications
• Principle of least privilege: Access to customer data is limited to authorized personnel with business need
• Unique user accounts: All access requires unique user credentials; no shared accounts
• Access monitoring: All access to production environments is logged and monitored for security purposes
• Access reviews: User access is reviewed annually to ensure appropriate permissions
• Immediate revocation: System access is revoked within one business day of employee termination

​

Security Monitoring & Testing

• Continuous monitoring: Automated logging and alerting for security events; alerts are sent to appropriate personnel and corrective actions are performed as necessary
• Vulnerability scanning: Quarterly automated vulnerability scans to identify and remediate security issues
• Penetration testing: Annual third-party penetration tests using industry-standard methodologies
• Incident response: Formal incident response plan with defined procedures for security events

​

Compliance & Auditing

​

SOC 2 Type II Certified

• Security: Protection against unauthorized access
• Availability: System uptime and reliability
• Confidentiality: Protection of sensitive information

• Controls were suitably designed throughout the period
• Controls operated effectively throughout the period
• No significant security incidents occurred during the audit period