Tray encrypts all data at rest and in transit. Sensitive credentials such as tokens and API keys receive additional safeguards to prevent misuse.

Tray enforces single sign-on (SSO) and phishing-resistant two-factor authentication. Role-based permissions control access so users view only what's relevant to their role.

Tray monitors systems around the clock with automated alerts and on-call security experts. Every action is logged, and customers can stream logs to their own systems.

Tray’s security is tested by independent experts. We complete SOC 1 and SOC 2 Type 2 audits, conduct annual penetration tests, and run a bug bounty program with the security community.

Tray complies with GDPR, CCPA, and HIPAA. Our security and privacy controls are designed to meet strict legal obligations across regions.

Customers choose US, EU, or APAC hosting to meet regional requirements. Local hosting supports compliance with privacy regulations and data transfer rules.

Tray provides a standard DPA and maintains a current sub-processor list. Vendors we work with must meet the same standards we commit to.

Tray maintains a privacy function that oversees data protection policies and regulatory compliance. Every employee completes required training on privacy and data handling each year.

Tray’s AI features are designed for flexibility and transparency, giving customers full control. You own all AI output, can opt out at any time, and decide where prompts and models are used. Tray never trains on your data, and AI providers do not retain prompts or responses after processing.

Set retention from 30 days to 24 hours, or disable it. You control the data footprint without losing error visibility.

Tray records every action across the platform. Stream logs to your own systems to create a complete record for oversight and compliance reporting.

You grant time-limited access when you need Tray’s support team to view your data. All access requests and actions generate audit events for compliance tracking.

Tray Guardian protects sensitive information in AI workflows. It applies tokenization, redaction, and policy controls so teams can use Tray AI safely without exposing confidential data.

Tray uses AWS multi-region hosting with availability zones to keep services running. Systems are monitored continuously to prevent and detect downtime.

Customer data is backed up at least daily and stored in separate locations. Disaster recovery is tested annually, with recovery time and point objectives clearly defined.

Confirmed incidents trigger immediate investigation and notification. Tray provides customers details on impact, remediation, and prevention.

Security and engineering teams are on call 24/7 to respond to incidents. Plans are in place to maintain critical operations during unexpected events, and policies keep security and compliance standards active under stress.