TrueWatch manages security with a layered approach designed to protect its SaaS systems, customer data, and company assets. The company’s practices integrate platform, network, personnel, and product security measures to ensure operational integrity and trust.
Platform and Network Security
TrueWatch protects its systems during daily operations using firewalls, encryption of data in transit, real-time protection via endpoint security solutions, regular patching, and strict access controls, including Multi Factor Authentication (MFA) and Zero Trust Network Access. These measures are complemented by incident response policies designed for the prompt management of security events. All proposed system changes are authorized, documented, tested, reviewed, and approved prior to implementation, with access restricted to authorized personnel. The most sensitive parts of TrueWatch systems, including network components, applications, operating systems, data stores, encryption keys, and critical infrastructure, are protected through restricted privileged access, role-based controls, multi-factor authentication, firewalls, endpoint security, secure transmission protocols, regular patching, and comprehensive access reviews. TrueWatch follows internal rules and procedures, including documented security incident response policies, access request and termination procedures, and formal policies for backup, recovery, and asset disposal, to ensure controlled access and secure handling of sensitive data.
System Availability
TrueWatch SaaS system architecture ensures high availability by deploying critical systems across multiple availability zones (AZs), utilizing real-time database replication, and implementing automated capacity management. Infrastructure monitoring and alerting allow prompt detection and resolution of potential issues. TrueWatch’s Service Level Agreement (SLA) (please visit: Truewatch SLA) commits to a minimum 99.90% availability per calendar month, and system uptime is continuously monitored through infrastructure tools. In case part of the system stops, redundancy and disaster recovery measures, such as deploying critical systems across multiple AZs and replicating databases to secondary AZs in real time, help maintain continuity for users. Traffic spikes are managed by continuously monitoring system capacity, applying auto-scaling, and adjusting resources proactively to ensure availability during peak demand. When service interruptions occur, users are informed through the Status Page, which displays the real-time operational status of service modules and allows subscription to incident notifications, sending email alerts whenever a site enters an abnormal state.
Personnel Security
Before employment, TrueWatch performs screening that includes identity verification and, where permitted by law, background checks. All TrueWatch employees share responsibility for protecting customer data. Every employee receives security and privacy awareness training upon hire and annually thereafter, ensuring understanding of protocols for safeguarding data. Employees are expected to read, acknowledge, and adhere to the Employee Handbook, follow security best practices, and complete mandatory training. Access rights are updated or revoked through a formal termination checklist when employees leave or change roles, with access typically revoked within 24 hours. MFA is enforced for all personnel.
Product Security
TrueWatch integrates security into every stage of the software development lifecycle. All changes undergo formal authorization, testing, review, and approval prior to deployment. Continuous patching and infrastructure hardening mitigate vulnerabilities. During planning and design, new features are reviewed and tested for safety through formal processes to ensure they meet security requirements before implementation. DevSecOps practices are embedded into CI/CD pipelines, including automated vulnerability scans, code reviews, and patch management to maintain security throughout development and deployment. Reported issues are logged, tracked, evaluated, and communicated to affected parties. Security events and incidents are addressed according to documented policies, with remediation plans promptly implemented. Regular security testing includes annual penetration testing and quarterly vulnerability scans. Critical procedures, such as backup and recovery and incident response plans, are reviewed and tested at least annually. Security updates and vulnerabilities are communicated to authorized users via documented incident response procedures and internal channels such as Lark Wiki. Learn more about our platform’s security and compliance framework in our Trust Center
Patch and Vulnerability Management
TrueWatch manages patching and vulnerability remediation through a structured process designed to protect customer data and maintain service reliability. Patches and updates are determined based on routine vulnerability scans and vulnerability management configurations, which highlight critical and high-risk issues requiring immediate remediation. Updates are applied during scheduled maintenance windows or in response to urgent findings. Before deployment, patches are validated through configuration inspections and deployment evidence, ensuring no exceptions are noted.
Patching is prioritized based on risk, impact, and urgency. TrueWatch follows a defined SLA:
| Risk Level | SLA Timeline |
|---|---|
| Critical | within 1–3 working days |
| High Risk | within 7 working days |
| Medium Risk | within 30 working days |
| Low Risk | quarterly |
This prioritization ensures that security threats are addressed quickly while maintaining stability for lower-risk items. Testing is integrated into the patching process to ensure that updates do not disrupt service availability or performance, with monitoring, configuration checks, and deployment alerts validating successful implementation. Customers are notified of upcoming maintenance windows or release updates via email notifications sent several days in advance, while Release Notes webpages provide details on new features, bug fixes, and security advisories. All changes are documented through formal change request tickets, which are reviewed, authorized, tested, and approved before production deployment.
Physical Security
TrueWatch data and infrastructure are hosted entirely in major cloud environments, where the cloud service provider manages the physical and environmental security of the data centers. Within its offices, TrueWatch applies physical security measures such as badge access, biometrics, and CCTV monitoring to safeguard work areas. All entries and exits are logged and monitored. Visitors are required to use a building-issued visitor badge and must remain under the escort of a TrueWatch employee for the duration of their visit. Access for third-party contractors and temporary employees is controlled through documented procedures. These include role-based access request forms and defined termination processes to ensure access is revoked within 24 hours of role changes or the conclusion of their engagement.