Security

Security is foundational to Traceage. The platform handles supply chain records, compliance evidence, and operational telemetry, and we engineer it to protect that data at every layer. This page summarises our practices.

Encryption

• In transit — all traffic to and between Traceage services is encrypted with TLS. The platform is HTTPS-only; plaintext connections are not accepted.
• At rest — databases and backups are encrypted at rest. Secrets are encrypted independently of application data.

Infrastructure Security

• The platform runs on a hardened Kubernetes environment with network policies that restrict service-to-service communication to only what each service requires.
• Development secrets are encrypted with SOPS and age key pairs; staging and production secrets are managed through isolated, access-controlled environments and never committed to source control.
• Environments are isolated from one another, and production access is limited to a small number of authorised operators.

Access Controls

• Role-based access control — permissions are scoped by role and by tenant, so users see only the data their organisation and role allow.
• Multi-factor authentication — MFA is available to all accounts and can be enforced organisation-wide by administrators.
• Audit logging — security-relevant events such as sign-ins, permission changes, and data exports are recorded to support investigation and compliance.

Incident Response

We maintain an incident response process covering detection, triage, containment, eradication, and recovery. If an incident affects your data, we will notify affected customers without undue delay and in line with our contractual and legal obligations, along with the information needed to assess impact.

Assessments and Certifications

We are committed to independent validation of our security posture as the platform matures:

• Penetration testing — third-party penetration testing is planned on a recurring cadence; results inform our remediation backlog.
• SOC 2 — a SOC 2 examination is in scope and not yet completed.
• ISO 27001 — ISO 27001 certification is planned.

We describe these honestly by status rather than implying completed certifications. This page will be updated as milestones are reached.

Responsible Disclosure

If you believe you have found a security vulnerability in Traceage, we want to hear from you. Please email security@traceage.io with enough detail to reproduce the issue. We aim to acknowledge reports within three business days.

• Please do not access or modify data that is not yours, degrade the Service, or run automated scans that affect availability.
• Give us a reasonable opportunity to investigate and remediate before any public disclosure.
• We do not currently operate a paid bug bounty programme, but we recognise and appreciate good-faith research.