How long does SOC 2 setup take with TraceLayer?

Most teams are collecting evidence within 5 minutes of signup. You paste an API key, TraceLayer connects to your tools, and evidence starts flowing immediately. No agents, no code, no week-long setup.

Is TraceLayer a Vanta or Sprinto alternative?

Yes. TraceLayer offers continuous compliance automation starting from $0 (free plan) to $149/mo — compared to Vanta's $15,000–$20,000/year or Sprinto's comparable pricing. TraceLayer supports SOC 2, ISO 27001, HIPAA, GDPR, PCI DSS, CCPA, NIST CSF, DPDP Act 2023, and CERT-In Directions 2022.

Which compliance frameworks does TraceLayer support?

TraceLayer supports SOC 2 Type I & II, ISO 27001, HIPAA, GDPR, PCI DSS, CCPA, NIST CSF, DPDP Act 2023, and CERT-In Directions 2022 — all mapped simultaneously from a single set of integrations.

Does TraceLayer have a free plan?

Yes. The free plan includes SOC 2 framework coverage, automated evidence collection, up to 3 integrations, risk register, policy templates, and up to 3 team members. No credit card required.

Can I use TraceLayer for a SOC 2 Type II audit?

Yes. TraceLayer collects continuous, timestamped evidence across your full observation period — exactly what auditors need for Type II. The AI Audit Package generates a formatted PDF report your auditor can use directly.

Legal

Data Processing Agreement

Last updated: March 16, 2026 · Effective for all Growth and Partner plan customers

This Data Processing Agreement ("DPA") forms part of the TraceLayer Terms of Service between TraceLayer ("Processor") and the customer entity that has accepted those terms ("Controller"). It satisfies the requirements of GDPR Article 28 and applies where TraceLayer processes personal data on your behalf.

1. Definitions

"Controller" means the entity that determines the purposes and means of processing personal data — i.e., the TraceLayer customer.

"Processor" means TraceLayer, which processes personal data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1).

"Processing" has the meaning given in GDPR Article 4(2) and includes collection, storage, retrieval, use, disclosure, and deletion.

"Sub-processor" means any third party engaged by TraceLayer to process personal data on behalf of the Controller.

"Standard Contractual Clauses" (SCCs) means the European Commission's standard contractual clauses for international data transfers (Commission Decision 2021/914).

2. Subject Matter and Duration

TraceLayer processes personal data to provide the compliance evidence collection and monitoring services described in the Terms of Service. Processing begins when the Controller connects an integration or creates an account and continues for the duration of the subscription, including any trial period.

Upon termination of the agreement, TraceLayer will delete or return all personal data in accordance with Section 10 (Data Retention and Return).

3. Nature and Purpose of Processing

TraceLayer processes personal data for the following purposes:

Providing the platform and its features (authentication, dashboard, evidence collection)
Collecting compliance evidence from integrated third-party services on behalf of the Controller
Generating compliance scores, reports, and audit packages
Sending transactional emails (onboarding, alerts, weekly reports)
Supporting users and resolving technical issues

Categories of data subjects: The Controller's employees, contractors, and system users whose data is surfaced via connected integrations (e.g., GitHub, AWS IAM, Slack, Google Workspace).

Categories of personal data: Email addresses, names, user identifiers, role and permission data, login events, IP addresses, and integration-specific metadata (e.g., GitHub commit authors, AWS IAM user records). TraceLayer does not collect sensitive categories of data (GDPR Article 9) by design.

4. Controller Obligations

The Controller warrants and represents that it:

Has a lawful basis for processing personal data and for instructing TraceLayer to process on its behalf
Has provided appropriate notices to data subjects and, where required, obtained valid consent
Will only provide TraceLayer with the personal data necessary for the stated purposes
Will inform TraceLayer promptly of any changes to applicable laws or regulatory requirements affecting the processing
Is responsible for ensuring its instructions to TraceLayer comply with applicable data protection law

5. Processor Obligations (TraceLayer)

TraceLayer shall:

Process personal data only on documented instructions from the Controller (including via product configuration), unless required to do so by EU or Member State law
Ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations
Implement appropriate technical and organisational security measures as described in Section 7
Assist the Controller in responding to data subject rights requests (Section 8)
Notify the Controller without undue delay (and no later than 72 hours) upon becoming aware of a personal data breach affecting Controller data
Provide all information necessary to demonstrate compliance with this DPA and cooperate with reasonable audits upon 30 days' written notice
Delete or return all personal data upon termination of the agreement (Section 10)

6. Sub-processors

TraceLayer uses the following approved sub-processors. We will provide at least 30 days' notice before adding or replacing any sub-processor. If the Controller objects, it may terminate the affected services with a pro-rata refund.

Sub-processor	Purpose	Location
Supabase / PostgreSQL	Database hosting and storage	AWS us-east-1 (USA)
Railway	Application hosting (API servers)	AWS us-west (USA)
Vercel	Frontend hosting and CDN	Global edge network
Resend	Transactional email delivery	USA
Sentry	Error monitoring (no PII in payloads)	USA
Anthropic	AI report generation (anonymised inputs)	USA
LemonSqueezy	Payment processing (billing data only)	USA

7. Security Measures

TraceLayer has implemented the following technical and organisational measures in accordance with GDPR Article 32:

Encryption in transit: All data transmitted between clients and servers uses TLS 1.2 or higher
Encryption at rest: Database volumes and object storage are encrypted at rest using AES-256
Credential security: Integration credentials are encrypted with Fernet symmetric encryption before storage; password hashes use bcrypt
Access control: Production systems require multi-factor authentication; access is granted on a least-privilege basis
Network security: API servers run behind firewalls with restricted inbound rules; security headers applied to all responses
Audit logging: Material actions (logins, data exports, integration changes) are logged to an append-only audit log
Vulnerability management: Dependencies are monitored for CVEs; critical patches applied within 24 hours

For a full description of our security posture, see our Security page.

8. Data Subject Rights

TraceLayer will, to the extent technically feasible, assist the Controller in fulfilling data subject requests under GDPR Articles 15–22 (access, rectification, erasure, restriction, portability, objection). The Controller remains responsible for responding to data subjects; TraceLayer provides tooling and cooperation at the Controller's written request.

Controllers may request deletion of all personal data associated with their account by contacting privacy@tracelayer.it.com. TraceLayer will complete deletion within 30 days.

9. International Data Transfers

TraceLayer's infrastructure is primarily located in the United States. Transfers of personal data from the European Economic Area (EEA) to the United States are made under the EU Standard Contractual Clauses (Commission Decision 2021/914, Module 2: Controller to Processor). By entering into this DPA, both parties are deemed to have executed the SCCs.

The SCCs are supplemented by the technical and organisational measures described in Section 7, which we assess as providing an essentially equivalent level of protection to that in the EEA.

10. Data Retention and Return

TraceLayer retains personal data for the duration of the active subscription plus a 30-day grace period to allow data export. After this period, or upon written request from the Controller, TraceLayer will permanently delete all personal data from production systems within 30 days and from backups within 90 days.

Upon request, TraceLayer will provide written confirmation of deletion. The Controller may export their data at any time via the platform's export functionality.

11. Liability and Indemnification

Each party shall be liable for damages caused by processing that infringes applicable data protection law. TraceLayer's aggregate liability under this DPA shall not exceed the amounts paid by the Controller in the 12 months preceding the claim. The Controller indemnifies TraceLayer against third-party claims arising from the Controller's unlawful instructions or failure to comply with applicable law.

12. Governing Law

This DPA is governed by the law of the jurisdiction specified in the applicable Terms of Service. For EU/EEA customers, the applicable EU data protection law shall also apply with respect to processing covered by this DPA.

For questions about this DPA or to execute a countersigned copy for enterprise contracts, contact legal@tracelayer.it.com.