Security Reviews

Information about security reviews and frequently asked questions.

Typically, security reviews will be completed as part of the process of negotiating your Trello Enterprise contract. If you have additional reviews or questions about our security procedures, we suggest reviewing our Operations And Security Guide:
https://trello.com/trello-operations-and-security-guide.pdf

If you have additional questions, reach out to your Account Manager. They can either answer the question themselves or put you in touch with our security team.

Frequently Asked Questions

What encryption does Trello offer in transit? - There is no non-TLS option for connecting to trello.com. All connections are made securely over https. TLS 1.2 is preferred, TLS 1.1 and 1.0 are supported, deprecated protocols of SSLv2 and SSLv3 are not supported. Full information on our configuration is available at https://www.ssllabs.com/ssltest/analyze.html?d=trello.com&hideResults=on&latest

What encryption does Trello offer at rest? - Enterprise users have their uploaded attachments encrypted at rest.

Can users create accounts outside of the enterprise? - They can create their own boards outside of private teams. There’s no way to disable this. As a result, it’s important to emphasize that users should create boards as part of the Enterprise teams. (This is also required for those boards to have Enterprise features.) Your account manager and support team can provide more information on this.

Does Trello offer deprovisioning with SSO? - Not currently. If your teams are enforced SSO, and you disable someone’s SSO credentials, they will no longer be able to access the app, but their Trello account will still exist. If SSO is enabled as a convenience rather than enforced, the user will still be able to access their account using a password. We strongly recommend deactivating team membership for terminated employees.

What other security settings exist? - Security settings outside of SSO are enabled per-team. Team admins can restrict membership to the team by domain, can restrict board membership to team members only, and restrict who can create boards within the team. We strongly suggest restricting team membership by domain and board membership to team members only. Those settings are on the settings page for the team, and can be accessed by a team admin. More info is available here, here, and here.

Next Up: Support Options →