Security

MTT holds timesheets, attestations, and consultant records — data your firm and your clients depend on. We protect it with encryption, strict per-tenant isolation, and a full audit trail, and we never use it to train AI. Here's exactly how.

Data residency

The Service is operated and hosted in the United States. Application servers and the PostgreSQL database run on US infrastructure provided by our cloud hosting sub-processor, Render Services, Inc. Customer Data is processed and stored in the United States.

Encryption

• In transit: All connections to the Service use TLS encryption.
• At rest: Database storage and backups are encrypted at rest.

Per-tenant data isolation

Customer Data is logically scoped by Tenant identifier, and the Service is designed to prevent cross-tenant data access. Each firm's data is isolated from every other firm's at the database level — one Tenant can never see another Tenant's consultants, timesheets, clients, or exports.

Access controls and authentication

• Role-based access: Within a Tenant, what a user can see and do is governed by their role — administrator, approver, or consultant.
• Internal access: Internal access to Customer Data is limited to personnel who need it to operate the Service and is subject to authentication and audit logging.
• Password protection: User passwords are stored only as cryptographic hashes — never in plaintext. We cannot retrieve a forgotten password, only reset it.

Audit trail

Submission, approval, and attestation events are logged with timestamps and — for attestations — the IP address from which the attestation was submitted. Every approval carries a full audit trail, which supports dispute resolution and gives your clients a defensible record behind each signed timesheet.

Your data is never used to train AI

Tricon does not use Customer Data — including timesheet data, consultant records, or any other content submitted to the Service — to train artificial intelligence or machine learning models. We do not sell personal information, and we do not share it with advertisers or use it for behavioral advertising. Customer Data is processed only as needed to deliver the Service to you.

Sub-processors

We engage a small set of trusted, US-based sub-processors to operate the Service (cloud hosting, transactional email, and internal collaboration tools). These providers process personal information on our behalf and are contractually obligated to protect it. The current list — and how we notify Customers of changes — is maintained in our Privacy Policy.

Data retention and export

You can export your Customer Data at any time during your active subscription using the Service's export features. After account termination, you have a thirty (30) day window to export your data before we delete it from active systems, subject to limited retention required by law. Operational logs are typically retained for ninety (90) days. Full details are in our Privacy Policy.

Shared responsibility

No security system is impenetrable, and we cannot guarantee absolute security. You are responsible for safeguarding your own credentials and for promptly notifying us of any suspected unauthorized access to your account.

Reporting a vulnerability

If you believe you have found a security vulnerability or have a question about our security practices, please contact us at security@getmtt.com. We take reports seriously and will investigate promptly. For privacy-specific questions, see our Privacy Policy or email privacy@getmtt.com.