Treviya
Trust · Security

Encryption.Access.Operations.

Security on Treviya is architecture, not a feature. Every record is encrypted at rest. Every request is encrypted in transit. Keys rotate quarterly. Sensitive actions step up.

Compliance Audit program
Technical specifications
Encryption at restAES-256-GCM
Encryption in transitTLS 1.3 · HSTS preload
Key derivationHKDF-SHA256 · per-record
Key rotationQuarterly · scheduled
KYC document storageEncrypted · isolated vault
Backup encryptionEnabled · customer-managed option
Session management24h default · step-up for sensitive actions
Second factorMandatory · passkeys (WebAuthn) preferred
Trusted-device PINPer-device · user-managed
RBACInstitutional + multi-user accounts
Audit logsAppend-only · 7-year retention
Incident responseRunbooks · post-mortem within 72h
How access works

Account security

Two-factor is mandatory at account creation. WebAuthn passkeys are preferred and supported on modern devices; authenticator-app TOTP is available as a fallback. Per-device trusted PINs let members approve low-risk actions quickly without re-authenticating fully.

Step-up authentication

Sensitive actions, withdrawals, role changes, document uploads, allocation authorisations, require a second, live authentication factor. This applies regardless of session age.

Institutional access (RBAC)

Institutional accounts support role-based access: separate roles for account owner, approver, operator and viewer. Every action is written to the cycle or account audit log with the acting role attached.

Read next
Trust
Compliance framework

FATF AML, sanctions screening, GDPR, UK DP, Swiss FADP, Singapore PDPA.

Read more
Trust
KYC · member verification

Identity, eIDV, document verification, continuous screening.

Read more
Trust
Audits + status

Audit cadence, scope and the public status page.

Read more
Begin

Architecture, not a feature.Scrutiny welcome.

Institutional members can request our security whitepaper and latest audit reports under NDA.

Contact Trust overview