Skip to main content

Trust & Security

Last reviewed: 14 May 2026

True Blue Horizon stores and processes information about your vessel and your AI conversations. We take that responsibility seriously. This page summarises our security posture and what you can expect. It is supported by the binding commitments in our Data Processing Addendum and Privacy Policy.

§ Data Protection
  • All data in transit is encrypted with TLS 1.2 or higher.
  • Data at rest is encrypted with AES-256 (Supabase / Google Cloud managed keys).
  • Multi-tenant isolation is enforced by PostgreSQL row-level security policies in Supabase and tenant-scoped access in BigQuery.
  • Backups are taken daily with a rolling 90-day retention.
  • Primary hosting is in the United States; international transfers are documented in our DPA.
§ Access Control
  • Customer credentials are stored hashed; we never see or store your password.
  • Multi-factor authentication is required for all personnel with administrative access.
  • Production access is limited to a small number of trained personnel, on a least-privilege basis.
  • Administrative actions are recorded in an immutable audit log and reviewed.
§ AI Safety
  • AI features run on enterprise tiers of our model providers (currently Google Vertex AI). Customer prompts and Vessel context are not used to train foundation models.
  • AI output is advisory; we publish a clear Marine Safety & AI Disclaimer that customers acknowledge at signup.
  • We do not use AI for consequential automated decision-making about you.
§ Vulnerability Management
  • Continuous dependency scanning and patching, with a documented SLA for critical vulnerabilities.
  • Static analysis and code review for every change to production code.
  • Annual third-party penetration testing (commencing once the Service reaches the threshold of paying customers that warrants it).
  • A coordinated disclosure programme — please report security issues to security@truebluehorizon.com. We commit to acknowledging reports within 72 hours.
§ Incident Response

We maintain a documented incident response plan. In the event of a personal data breach we will notify affected customers and regulators as required by law — generally within 72 hours of confirming a breach. Status, including non-personal-data incidents, is published at status.truebluehorizon.com.

§ Compliance Roadmap

We are building towards SOC 2 Type II readiness and align our practices to the NIST Cybersecurity Framework, the New York SHIELD Act “reasonable safeguards” standard, and the Massachusetts 201 CMR 17.00 information-security regulation. Custom-tier customers can request our current control matrix and progress under NDA.

§ Contact

Security: security@truebluehorizon.com. Privacy: privacy@truebluehorizon.com.