Security

TraceLoom runs on Vercel for application compute and Supabase for database, auth, and storage. Both providers are SOC 2 Type II certified. The application is deployed across multiple regions for redundancy; the primary database is in AWS us-east-2 (Virginia) with point-in-time recovery and daily off-region backups.

All ingress flows through TLS 1.2+ termination at the edge. Inter-service traffic between the app and database is private (Supabase project-scoped credentials), not exposed to the public internet.

In transit: TLS 1.2 minimum, with HSTS preload across all marketing and app subdomains. Modern cipher suites only; SSL Labs A+ rating maintained.

At rest: AES-256 on the Postgres data volume and on object storage. Database backups are encrypted with a key separate from the runtime key.

Secrets: Application secrets live in Vercel encrypted environment variables, scoped per environment (production / preview / development) and rotated on a 90-day cadence.

We use Supabase Auth for identity. Email + password with optional TOTP MFA today; SSO (SAML, OIDC) on Enterprise. JWT-based sessions with rotating refresh tokens.

Internal access to production data is restricted to a small set of named engineers, gated by hardware-key-backed SSO and just-in-time elevation. Access requests are logged and reviewed quarterly. We follow least-privilege: customer-success staff cannot read production data, only operational tables required for support.

Every customer-facing table enforces row-level security (RLS) keyed on org_id. Even with a leaked anon key, queries cannot cross-read another tenant's data; the policy is enforced by Postgres, not the application layer.

Internal staff queries that need to span tenants (debugging, support) go through a service-role client that emits an audit-log entry with the actor, the tenant touched, and the operation.

Application logs flow to Vercel; database logs and connection metrics flow to Supabase's observability layer. Authentication events (sign-in, password reset, MFA enrolment) and admin actions are recorded in an immutable audit-log table retained for 12 months.

Anomaly alerts (auth failure spikes, unusual query volume, error-rate breach) page the on-call engineer within 60 seconds of detection.

We commit to the following incident-response SLAs:

• Acknowledge: within 1 business hour of detection or report
• Initial customer notification: within 24 hours for any incident potentially affecting customer data
• Personal-data breach notification: within 72 hours, per GDPR Art. 33
• Post-incident report: within 14 days, including root cause and remediation timeline

The full incident-response runbook is available to enterprise customers under NDA on request.

We retain an independent third-party security firm for an annual external penetration test against the production environment. Critical and high-severity findings are remediated before the test report is closed; the most recent test summary letter is available to enterprise customers under NDA.

Internal continuous testing includes static analysis on every PR, dependency vulnerability scanning (Dependabot + npm audit on CI), and weekly automated DAST scans against staging.

SOC 2 Type II: in progress. Status letters available from sales; full report on completion.

GDPR / UK GDPR: compliant. See our DPA and Privacy Policy.

CSRD / CSDDD readiness: the Mill Profile data model and DPP export target the EU Corporate Sustainability Reporting Directive and Corporate Sustainability Due Diligence Directive disclosure structures.

ISO 27001: on the roadmap; targeted as part of the SOC 2 Type II follow-on programme.

The full list of sub-processors, including region and certification status, is published in section 4 of our DPA. We give 30 days' notice before adding or replacing a sub-processor.

If you discover a security vulnerability in TraceLoom, we want to hear about it. Use the form below or email security@traceloom.com. For sensitive details, encrypt with our PGP key (fingerprint and key URL available on request from security@traceloom.com).

In scope: traceloom.com, app.traceloom.com, *.traceloom.com (excluding marketing landing pages), and our publicly documented APIs. Out of scope: social engineering, denial-of-service, physical security, third-party services we don't control.

Safe harbour: good-faith research within scope is authorised. We will not pursue legal action against researchers who disclose responsibly and avoid violating customer privacy or destroying data.

Where is my data stored? Primary in AWS us-east-2 (Virginia, USA). EU regional hosting is available on Enterprise.

How long are backups kept? Daily backups for 30 days, weekly for 90 days. All backups encrypted at rest with a key separate from the runtime key.

Can I require MFA for my org? Yes — org admins can enforce MFA for all users in their organisation settings.

Do you support SSO? Yes, SAML 2.0 and OIDC on the Enterprise plan.

Where can I get a security questionnaire? We can complete CAIQ, SIG, or your own template. Email security@traceloom.com with the doc and we'll return it within five business days.