How we handle your data.

trustacks.com has no accounts, no logins, no preferences, no personalization. The only inbound data path is the contact form on /contact, and even then only the fields you choose to type.

Contact-form submissions go through a Next.js Server Action over HTTPS, get validated server-side (length bounds, email format, honeypot for bots), and are forwarded by email to a TruStacks-controlled inbox. The forwarding provider will be listed on the privacy notice once selected. Server logs capture only non-PII metadata — whether fields are present and the length of the message — so names and emails do not enter the log stream.

Vercel hosts the site (US-based, SOC 2 Type II and ISO 27001 certified). Most pages are statically prerendered, so a typical page view does not touch any database. The only runtime path is the contact form’s Server Action.

Vercel Analytics — cookieless, IP-free, privacy-respecting, aggregate-only. No third-party trackers, ad networks, session recorders, or fingerprinting tools have been wired up. We will surface any change to that posture on the privacy notice before it ships.

The TruStacks product UI runs at app.trustacks.com and is governed by a separate trust posture. Production credentials never live on the marketing side; never live on TruStacks-operated infrastructure at all. See /product/security for the supply-chain story.

Every TruStacks artifact — runner image, policy bundle — is cosign-signed against a publicly verifiable key. Nothing about our supply chain depends on you trusting our copy. The verification command is the same one you would run yourself; see /product/security.