Security and access control
Firebase-backed authentication, admin-only operational surfaces, role-based workflows, audit-oriented docs, and SSRF guard references are tracked in architecture and security docs.
This page explains the controls TrueLink can stand behind today, the claims that are still roadmap-only, and the public review gates we use before AI-assisted content or international SaaS changes ship.
These statements are intentionally conservative. Roadmap work is labeled as roadmap, not certification.
Firebase-backed authentication, admin-only operational surfaces, role-based workflows, audit-oriented docs, and SSRF guard references are tracked in architecture and security docs.
Privacy policy, app data safety matrix, subprocessor summary, and deletion/export planning are maintained as public and internal governance references.
AI-assisted blog drafts store provenance flags and cannot publish or schedule until human review is marked complete.
ISO 27001, ISO 27701, SOC 2, GDPR/DPA, and subprocessors are tracked as readiness work. No issued certification is claimed here.
New user-facing screens target WCAG 2.2 AA. The public Accessibility Statement records current status, known limits, and feedback channels.
The public Status and Incident History page records the current manual status boundary, incident update rules, and blocked uptime/no-incident claims.
AI must not invent customers, numbers, rankings, certifications, testimonials, legal positions, security guarantees, or case results.
Use this table to review what exists, where it is documented, and what still needs production evidence.
| Area | Current status | Reference | Next proof needed |
|---|---|---|---|
| International SaaS gate | PR template and CI require explicit gate language for PRs to dev/main. | docs/INTERNATIONAL_SAAS_READINESS_STANDARD.md | Keep expanding automated checks beyond PR text. |
| AI-assisted public content | Blog CMS publish and schedule gates block unreviewed AI drafts. | docs/AI_GOVERNANCE_AND_DISCLOSURE_STANDARD.md | Add model/provider provenance capture where provider metadata is available. |
| SEO/GEO blog quality | Articles must pass the quality gate before publish or search submission. | docs/BLOG_SEO_GEO_CONTENT_STANDARD.md | Connect performance tracking to GSC query and conversion metrics. |
| Security certification | Readiness and ISMS docs exist; certification is not claimed. | docs/SECURITY_AUDIT_AND_ISO_27001_ROADMAP.md | External audit scope, auditor, dates, and issued report or certificate. |
| Data processing and subprocessors | Public summary exists with current, conditional, and roadmap provider labels. | docs/DATA_PROCESSING_SUBPROCESSORS.md | Confirm DPA coverage, data region, retention, and enterprise terms per provider. |
| Incident history | Public manual status and incident history register exists. Uptime and no-incident claims remain blocked until monitored evidence exists. | docs/STATUS_INCIDENT_HISTORY.md | Connect automated public monitoring, historical incident import, and owner review workflow. |
| Responsible disclosure and security headers | Public security.txt exists and low-risk Firebase Hosting headers are configured. CSP and Permissions-Policy remain blocked pending frontend inventory. | docs/SECURITY_HEADERS_AND_SECURITY_TXT.md | Capture production headers after deploy and complete CSP/Permissions-Policy compatibility testing. |
Security reports should be specific, safe, and reproducible.
Short answers for enterprise reviewers and crawler extraction.
No. TrueLink documents ISO 27001 and SOC 2 readiness work as a roadmap only. Issued certificates or audit reports must be published before any certification claim is made.
No. AI-assisted public content must store provenance metadata and pass human review before publish, schedule, submission, syndication, or customer delivery.
Send security reports to security@truelink-group.com with affected URL, steps to reproduce, impact, and safe proof of concept details.