Trust and Data Handling in Integration Aggregators

Learn how Sprinto leverages integration aggregators like Merge, Truto, and Leen securely to connect HR, finance, and security data sources while maintaining compliance and customer data protection.

Sprinto integrates with three independent aggregators—Merge, Truto, and Leen—to ensure reliable and scalable access across HR, finance, and security data systems. Each aggregator plays a distinct role in our architecture, offering specific advantages in terms of data flow, storage, and compliance coverage.

This FAQ provides transparency into how these aggregators handle, store, and protect your data. It is not a ranking; Sprinto adopts all three for their complementary capabilities.

Frequently Asked Questions

1. Do the aggregators store customer data or just forward API responses?

Merge: Yes. Merge stores and normalises data in its own database for efficient querying.
Truto: No. Truto acts as a pass-through layer and discards payloads after forwarding the response.
Leen: Yes. Leen stores security telemetry within its “data fabric” for analytics and correlation.

2. Why do they retain data (if applicable)?

Merge: For normalisation, diff-based syncs, webhook triggers, and faster queries.
Truto: Not applicable—payloads are not retained.
Leen: For correlation, trend analysis, and unified security reporting.

3. How long is data retained?

Merge: Indefinitely, until the linked account or organisation is deleted.
Truto: No payloads are stored; tokens and logs are retained for ≤ 180 days, with a full purge 15 days post-termination.
Leen: Retention continues while the integration is active or until deletion is requested.

4. Is the stored data encrypted?

Merge: AES-256 encryption at rest and TLS 1.2+ in transit. Credentials are double-encrypted.
Truto: AES-256 for tokens; TLS 1.3 in transit.
Leen: AES-256 encryption at rest and TLS 1.2+ in transit, in line with SOC 2 controls.

5. Can aggregator staff access the data?

Merge: Only with explicit customer authorisation under strict RBAC controls.
Truto: No—payloads are never stored, and tokens are key-protected.
Leen: Access is governed by least-privilege principles as defined in its SOC 2 framework.

6. What certifications and assurances do they provide?

Merge: SOC 2 Type II, ISO 27001, HIPAA, GDPR/CCPA.
Truto: SOC 2 Type II, ISO 27001, HIPAA, GDPR/CCPA.
Leen: SOC 2 Type II (security-focused scope), GDPR/CCPA.

7. How are access tokens handled?

Merge: Double-encrypted; accessible only to Merge’s sync engine.
Truto: Stored encrypted only if Truto manages token refresh; supports optional self-hosting.
Leen: Stored encrypted within each tenant workspace with no UI exposure.

8. What transport security standards do they follow?

Merge: HTTPS (TLS 1.2+); supports private link or single-tenant hosting.
Truto: HTTPS (TLS 1.3).
Leen: HTTPS with signed webhooks using TLS 1.2+.

9. Do they honour data-deletion requests?

Merge: Yes. Accounts and organisation-wide data can be deleted via UI or API.
Truto: Yes. Purges occur within 15 days of termination or explicit request.
Leen: Yes. Data deletion is supported through API or support ticket.

10. What happens when an integration is terminated?

Merge: Syncs stop, and data remains until deleted.
Truto: Tokens are revoked, and logs/time-boxed data are purged within 15 days.
Leen: Integration is marked inactive; data is retained until deletion.

11. Is any anonymisation applied to stored data?

Merge: No. Data is kept per tenant but fully segregated.
Truto: Not applicable—payloads are not stored.
Leen: No anonymisation; data is isolated per org_id with strict tenant segregation.

12. Where can I review each aggregator’s trust and compliance documentation?

Merge: https://trust.merge.dev/
Truto: Sprinto Trust Center entry
Leen: Contact Sprinto Support for the latest audit summary or vendor trust document.

Key Takeaways

Unified Security Posture: All three aggregators maintain SOC 2 Type II certifications and implement AES-256 encryption and TLS 1.2+ for all data exchanges.
Customer Control: You remain in control of your data. You can:
- Delete accounts directly in Merge.
- Request full data purge in Truto or Leen.
- Automate retention and deletion through Sprinto’s policy engine.

PreviousTriNet HR Platforms Integration NextOverview

Last updated 4 months ago

hashtagFrequently Asked Questions

hashtag1. Do the aggregators store customer data or just forward API responses?

hashtag2. Why do they retain data (if applicable)?

hashtag3. How long is data retained?

hashtag4. Is the stored data encrypted?

hashtag5. Can aggregator staff access the data?

hashtag6. What certifications and assurances do they provide?

hashtag7. How are access tokens handled?

hashtag8. What transport security standards do they follow?

hashtag9. Do they honour data-deletion requests?

hashtag10. What happens when an integration is terminated?

hashtag11. Is any anonymisation applied to stored data?

hashtag12. Where can I review each aggregator’s trust and compliance documentation?

hashtagKey Takeaways