Security is foundational to everything we build at Treeo. We understand that you are trusting us with your most sensitive business data, and we take that responsibility seriously.
Infrastructure Security
Treeo's platform is hosted on industry-leading cloud infrastructure with multiple layers of protection:
- Isolated environments: Production, staging, and development environments are fully isolated with separate access controls and credentials.
- Network security: All production systems operate within private networks with strict firewall rules. Public-facing endpoints are protected by a Web Application Firewall (WAF).
- DDoS protection: We employ industry-standard DDoS mitigation services to ensure platform availability.
- Redundancy and availability: Our infrastructure is distributed across multiple availability zones to ensure high availability and rapid failover.
Data Encryption
All data stored and transmitted through Treeo is encrypted using modern, industry-standard algorithms:
- Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.2 or higher. We enforce HTTPS across all endpoints and use HSTS to prevent downgrade attacks.
- Encryption at rest: All data stored on our servers — including database credentials, user data, and query results — is encrypted at rest using AES-256.
- Database credentials: Connection credentials you provide are encrypted with a dedicated key management service and are never stored in plaintext.
Access Controls
We apply the principle of least privilege throughout our systems:
- Employee access: Treeo employees have access only to the systems and data necessary to perform their job functions. Access is reviewed regularly and revoked immediately upon role changes or offboarding.
- Multi-factor authentication: All internal systems require MFA. We strongly encourage users to enable MFA on their Treeo accounts as well.
- Audit logs: All access to production systems is logged and monitored for anomalous activity.
- Role-based access: Within team accounts, administrators can assign role-based permissions to control what data and features each team member can access.
Application Security
We follow secure development practices throughout the software lifecycle:
- Code reviews: All code changes undergo peer review before deployment.
- Dependency management: We regularly audit and update third-party dependencies to address known vulnerabilities.
- Security testing: We conduct regular penetration testing and vulnerability assessments.
- OWASP guidelines: Our development process follows OWASP Top 10 guidelines to mitigate common web application vulnerabilities including SQL injection, XSS, and CSRF.
We never execute raw queries against your database on behalf of users without an explicit, auditable request. All query execution is sandboxed, logged, and tied to authenticated sessions.
Data Isolation
Each customer's data is logically isolated from other customers' data. Our multi-tenant architecture ensures that one customer cannot access another's data under any circumstances. Query results and cached data are scoped strictly to the authenticated workspace that requested them.
Incident Response
We maintain a formal incident response process:
- Security incidents are triaged immediately by our on-call engineering team.
- Affected customers are notified within 72 hours of a confirmed breach involving their data, as required by applicable data protection laws.
- Post-incident reports are conducted to identify root causes and prevent recurrence.
Compliance
We are committed to meeting the compliance requirements of our customers. Our security programme is designed to align with:
- GDPR (General Data Protection Regulation)
- SOC 2 Type II (in progress)
- ISO 27001 principles
Responsible Disclosure
We welcome reports from the security community. If you discover a potential vulnerability in our platform, please report it responsibly to security@treeo.ai. We ask that you:
- Give us a reasonable amount of time to investigate before public disclosure
- Avoid accessing or modifying data that does not belong to you
- Not perform denial-of-service attacks or any other disruptive testing
We will acknowledge your report within 48 hours and keep you informed as we investigate and remediate the issue.
Contact
For security-related questions or to report a vulnerability, please contact our security team:
- Email: security@treeo.ai
For general privacy questions, see our Privacy Policy.