Tracelia Security Policy

Architecture & Standards

Last Updated: January 16, 2026

At Tracelia, security is not an afterthought—it is the foundation of the Digital Product Passport platform we are building. We understand that our future customers will entrust us with critical supply chain data. This document outlines the technical, administrative, and physical controls implemented in our infrastructure and software design.

Note: Tracelia is currently in a pre-launch phase. The security measures described below reflect the architecture of the SaaS platform currently under development and testing. This document is provided for informational purposes and does not constitute a contractual Service Level Agreement (SLA).

1. Infrastructure & Cloud Security

We operate on a "Zero Trust" architecture, leveraging world-class cloud providers to ensure maximum availability, redundancy, and security.

1.1. Hosting & Data Centers

  • Primary Processing: Our application logic is hosted on Render (AWS-backed infrastructure), primarily located in the Frankfurt (EU-Central-1) region to ensure GDPR compliance and low latency for European markets.
  • Frontend Delivery: We use Vercel's Edge Network for global content delivery, ensuring rapid loading times and protection against DDoS attacks.
  • Physical Security: We do not own or operate physical data centers. Our infrastructure providers maintain industry-standard certifications. Tracelia itself is not currently certified under these standards but relies on certified infrastructure providers.

1.2. Network Security

  • Cloudflare Proxy: Traffic to Tracelia passes through Cloudflare, providing a Web Application Firewall (WAF), automated DDoS mitigation, and bot protection.
  • Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or 1.3. We utilize HSTS (HTTP Strict Transport Security) to enforce secure connections.
  • Encryption at Rest: All production databases and file storage buckets are encrypted at rest using AES-256 standards.

2. Application Security

Our platform is designed with "Security by Design" principles to protect user accounts and data integrity.

2.1. Authentication & Authorization

  • Password Hashing: User passwords are never stored in plain text. We use Argon2id, a state-of-the-art memory-hard hashing algorithm resistant to GPU/ASIC brute-force attacks.
  • Token Management: API access is secured via short-lived JWT (JSON Web Tokens) for access and securely rotated Refresh Tokens for session management.
  • RBAC: The platform architecture enforces strict Role-Based Access Control (Owner, Admin, Editor, Viewer) at the API level.
  • 2FA: Two-Factor Authentication (TOTP) will be available upon commercial launch.

2.2. Development Standards

  • Static Analysis: We use automated tools (SAST) to scan code for vulnerabilities before every deployment.
  • Supply Chain Security: We regularly scan our software dependencies for known vulnerabilities using automated tools (e.g., Dependabot, Snyk).
  • Environment Isolation: We maintain strict separation between Development, Staging, and Production environments. Test data is never used in the Production environment.

3. Data Protection & Continuity

3.1. Database Security

  • We use managed PostgreSQL databases with automated daily backups.
  • Backups are encrypted and stored in multiple availability zones to ensure data durability.
  • Point-in-Time Recovery (PITR): Our configuration allows for restoring the database to a specific state in the event of a critical failure.

3.2. File Storage

  • Product certificates and documents are stored in Cloudflare R2 (S3-compatible object storage).
  • Presigned URLs: Private files are served via time-limited, signed URLs, ensuring that only authorized users can access specific documents, preventing unauthorized bulk scraping.

4. Internal Access & Operations

As a founder-led project, we prioritize the principle of least privilege in all operational procedures.

  • Access Control: Access to production infrastructure is restricted solely to authorized engineering personnel (currently the Founder) and is protected by Multi-Factor Authentication (MFA/2FA).
  • Audit Trails: Sensitive actions within the system (e.g., database schema changes, deployment triggers) are logged for security review.
  • Device Security: Development workstations are secured with disk encryption (FileVault/BitLocker) and strong passwords.

5. Compliance & Privacy

5.1. GDPR

Tracelia is built to be fully compliant with the General Data Protection Regulation (GDPR).

  • Data Minimization: We design our data models to collect only what is necessary for the service.
  • Right to Erasure: Our architecture supports the permanent deletion of customer data upon request (subject to data retention laws regarding product compliance).
  • Data Processing: Upon commercial launch, we will offer a standard Data Processing Agreement (DPA) for our B2B customers.

5.2. Third-Party Audits

While Tracelia acts as a Data Processor, we rely on sub-processors who hold top-tier certifications such as ISO 27001, SOC 2, and FedRAMP.

6. Vulnerability Management

6.1. Handling Process

We take security reports seriously.

  • Triage: Reported vulnerabilities are reviewed and prioritized based on severity (CVSS).
  • Remediation: We aim to address critical vulnerabilities as a priority, typically within 48 hours, and high-severity issues as quickly as possible.

6.2. Responsible Disclosure

We welcome feedback from security researchers. If you believe you have found a vulnerability in Tracelia, please report it to us responsibly.

Contact: security@tracelia.com

Policy: We do not currently offer a monetary bug bounty program, but we acknowledge and appreciate researchers who help us keep our platform safe. We ask that you do not exploit vulnerabilities to access other customers' data or disrupt our services.

Contact Us

For any security-related questions or concerns, please contact our Security Team at: security@tracelia.com.