Enterprise-Grade Security

Trellis runs on infrastructure from Anthropic, OpenAI, Supabase, Vercel, and Clerk. Each vendor maintains rigorous third-party security audits and certifications:

• SOC 2 Type 2Held by every core vendor in our stack — Anthropic, OpenAI, Supabase, Vercel, and Clerk — and audited annually by independent third parties
• ISO 27001The international information-security management standard, held by vendors including Anthropic, OpenAI, and Vercel
• ISO 42001Anthropic, our primary AI provider, is certified under this new standard for responsible AI management systems
• HIPAA-Ready VendorsOur database and AI providers offer HIPAA-compliant configurations — security programs built to healthcare-grade standards
• CSA STAROur AI vendors, including Anthropic, are listed in the Cloud Security Alliance's STAR registry for cloud security transparency

These certifications are held by our infrastructure vendors, not by Trellis directly. We're happy to share current documentation for any vendor in our stack.

Your sensitive data is protected at every layer with enterprise-grade security measures:

• Encryption in transit & at restAll data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Teacher PII never reaches AI providersTeacher names and emails are replaced with cryptographic aliases (HMAC-SHA256) before any content is sent to an AI model — and a built-in tripwire blocks the request entirely if identifying details slip through
• Workspace-scoped isolationEvery query is scoped to your school's workspace at the application layer, so one district's data is never visible to another
• No AI training on your dataUnder Anthropic's and OpenAI's API terms, your content is never used to train their models
• Voice recordings never retainedAudio from voice-note observations is deleted from storage immediately after transcription completes

We're committed to protecting teacher and student privacy with comprehensive safeguards:

• Designed for FERPABuilt to support your district's FERPA obligations, with data processing agreements that document exactly how records are handled
• Role-based accessGranular permissions ensure staff only access what they need
• Deletion audit trailAccount deletions cascade through every linked record and are written to a permanent audit log; infrastructure access logs are maintained by our hosting providers
• Data ownershipYour data belongs to you, always. We never sell it, and we share it only with the subprocessors needed to run the service.
• Self-serve data exportDownload your workspace's complete data set — teachers, observations, and evaluations — as JSON or CSV

Built on enterprise-grade platforms you can trust for reliability and performance:

• Enterprise databasePostgreSQL database with Supabase infrastructure
• High historical availabilityTrellis runs on Vercel and Supabase, platforms with strong published availability track records
• Automatic scalingInfrastructure grows seamlessly with your district
• Automated backupsThe production database is backed up automatically by our database provider
• Continuous monitoringOur infrastructure vendors monitor their platforms around the clock, and we track application errors and availability