In a study conducted by SafeNet, 52% of US respondents said that they would be reluctant to do business with a company that had a data breach involving the theft of sensitive information.
At Trustpilot, we want to ensure our partners, customers, and consumer community feel confident and comfortable trusting their sensitive data in our hands. We understand the importance of adequately protecting private information in today's data-driven world, and we take the security of all of the data within our systems very seriously.
Below, we have covered answers to frequently asked questions from businesses and consumers on how we safeguard data throughout our systems and processes.
How secure is Trustpilot’s website?
In an effort to safeguard traffic between Trustpilot and its customers, all communication uses 128-bit encryption by default.
In addition, all of Trustpilot’s websites use Transport Layer Security (TLS) to ensure that no third party can eavesdrop or tamper with messages being communicated at anytime.
Is it safe to copy Trustpilot into confirmation emails using the BCC function?
Invitations can only be queued by an email address that matches the domain of the account registered with Trustpilot. The emails are sent to a specially assigned email address and are never exposed to customers.
The emails are stored at Amazon Web Services in Ireland using state of the art surveillance and multi-factor surveillance systems. In addition to digital security, security guards are on duty 24 hours a day protecting the servers from an attack.
Trustpilot never stores the transaction-related emails our customers send to trigger review invitations for more than 30 days after they reach our system. Trustpilot does not have the authority to use the data for any other purposes, and we will never pass it on to any third parties as this is strictly against our guidelines.
How can we invite our customers without violating governmental data protection laws?Trustpilot’s unique link allows businesses to create pre-populated URLs without exposing Trustpilot to customer information (such as their name, email address, or reference ID).
Where businesses build these links in accordance with our guidelines, Trustpilot can identify businesses’ customers only when they decide to leave a review.
These links are designed using SHA-1 cryptographic hash functions that secretly and safely communicate text values. By design, these hash functions are not reversible and allow our system to identify users in a secure way.
How secure are Trustpilot’s APIs?
Trustpilot’s API is separated into two parts with different security layers for each.
Customer API: Trustpilot uses OAuth 2 authentication, which is used to validate and identify users currently accessing its API. This type of authentication is useful for web applications like Trustpilot’s because it allows hosts to learn a lot of information about who the user is and what he/she is doing inside the application. Having this information is essential to ensuring that our users can communicate with Trustpilot across diverse networks. It also allows Trustpilot to only give specific users access to specific parts of our API. These measures are essential to ensuring that Trustpilot can protect its own, and its customers systems from breaches
Public API: Trustpilot's public API does not require OAuth 2, and can be accessed by including an assigned API key in the appropriate request. Only publicly listed information on Trustpilot.com can be accessed with this API. No email addresses, reference ID or information about customers can be accessed. In an effort to protect these keys however, we ask that our customers do not display these keys on the client side of its website. This is a necessary step in ensuring that the API key is not easily accessed in browser developer tools by a potential intruder.