Skip to main content

Security at True Aim

Last updated: 2026-05-21

Report a vulnerability: security@trueaim.ai. We acknowledge reports within 5 business days. See Responsible disclosure.

True Aim AG operates a claims-processing platform for insurers, brokers, and any entity in the insurance value chain handling or processing claims. Security is a core requirement of our Service, and our customers entrust us with personal data of their policyholders. This page describes our security program at a high level. For full audit-grade evidence (SOC 2 Type II report when issued, ISO 27001 certificate when issued, sub-processor list, Data Processing Agreement), contact security@trueaim.ai. These are available under NDA.

Compliance frameworks

  • ISO 27001:2022: readiness assessment complete, certification audit in progress.
  • SOC 2 Type II: control implementation complete, observation period in progress.
  • Swiss FADP and GDPR: aligned as data processor for customer data, pending formal certification as part of our SOC 2 and ISO 27001 audits.
  • EU AI Act: AI Technical File maintained for the ClaimPilot platform; current readiness is documented and tracked.

Where data is processed

All customer data is stored and processed on Microsoft Azure in the Switzerland North region. We do not transfer customer data outside Switzerland for routine processing.

Sub-processors

We use a limited set of Microsoft Azure services for hosting, AI inference, and operational telemetry, plus Google Workspace (for business email). See our Privacy Policy for the current list. We notify customers in advance of changes. Internal-only tools (source control, CI/CD, CRM) that do not process Tenant production data are not customer sub-processors and are not listed.

Encryption

All data is encrypted in transit (TLS 1.2 or above) and at rest (AES-256 via Azure platform encryption). Application secrets are stored in Azure Key Vault with soft-delete and purge protection enabled.

Access control

Access to customer data is restricted to authorised True Aim personnel on a least-privilege, need-to-know basis, enforced through role-based access controls and Azure Managed Identities. Multi-factor authentication is enforced for all employee accounts.

Monitoring and incident response

We operate continuous logging, alerting, and monitoring on the production environment via Microsoft Defender for Cloud and Azure Monitor. We maintain a documented incident response procedure. Customers will be notified of confirmed security incidents affecting their data without undue delay and in accordance with our Data Processing Agreement.

Vulnerability management

We monitor our software dependencies and infrastructure for known vulnerabilities through automated scanning and Microsoft Defender. Findings are triaged against documented severity SLAs. We engage third-party penetration testers on a recurring basis.

Personnel security

All personnel undergo background screening, accept confidentiality obligations, and complete security and privacy awareness training.

Business continuity

Customer data is backed up on a regular schedule, with documented restore procedures. We test our disaster recovery procedures periodically.

Responsible disclosure

If you believe you have found a security vulnerability in our Service or in this website, please report it to security@trueaim.ai. We commit to acknowledging your report within 5 business days and to working with you in good faith to investigate and remediate verified issues. We will not pursue legal action against researchers who follow this disclosure process, act in good faith, and do not access, modify, or delete data beyond what is necessary to demonstrate a vulnerability. See also our Ethics & Reporting channel for non-security misconduct.

Contact

For security-related questions: security@trueaim.ai. For privacy and data-protection enquiries: privacy@trueaim.ai.