Security

Last updated March 21, 2026
Bid teams trust TRMS with sensitive commercial documents, compliance attachments, and proprietary content. This page describes the security controls we put in place to protect your data — from infrastructure to access management to incident response.

1. Security Overview

TRMS treats security as a first-class concern. We follow a defence-in- depth approach that combines secure infrastructure, strong access controls, regular auditing, and a culture of security awareness across the engineering organisation.

2. Infrastructure

TRMS runs on hardened cloud infrastructure with the following controls in place:

  • Workloads isolated inside a private VPC with no public ingress
  • Managed Kubernetes with automatic patching
  • WAF and DDoS protection at the network edge
  • Daily encrypted backups retained for 30 days

3. Data Protection

All customer data is encrypted in transit using TLS 1.2 or later and at rest using AES-256. Encryption keys are managed by our cloud provider's key management service and rotated regularly.

Customer Content is logically isolated by workspace and never commingled across tenants.

4. Access Controls

Access to production systems is restricted to a small set of authorised engineers using single sign-on, multi-factor authentication, and short-lived credentials. Every access event is logged and reviewed.

  • SSO enforced for all employees
  • Hardware security keys required for production access
  • Quarterly access reviews

5. Secure Development Lifecycle

Every change to TRMS goes through code review, automated tests, and static analysis before being merged. Security-sensitive changes receive an additional review from the security team. We continuously scan our dependencies for known vulnerabilities and patch them promptly.

6. Monitoring and Incident Response

Our infrastructure is monitored 24/7 for anomalies. We maintain a documented incident response plan and conduct regular tabletop exercises. In the event of a security incident affecting customer data, we will notify affected customers within 72 hours.

7. Compliance

TRMS is built to support compliance with the Zimbabwe Data Protection Act, GDPR, and SOC 2. Our SOC 2 Type II report is available to customers under NDA — please contact security@trms.co.zw to request a copy.

8. Responsible Disclosure

If you believe you have found a security vulnerability in TRMS, please report it to us at security@trms.co.zw. We will acknowledge your report within one business day and work with you to validate and remediate the issue.