Security at TraceLayer

TraceLayer runs on Railway (API) and Vercel (frontend), both hosted on AWS infrastructure. Data is stored in Supabase PostgreSQL(AWS us-east-1) with automated daily backups retained for 30 days.

All servers are protected by network-level firewalls. Inbound access to the API is restricted to HTTPS on port 443. There is no direct database access from the public internet.

Application deployments are automated via CI/CD pipelines with mandatory security checks. Each production deployment is immutable; rollbacks are available within minutes.

In transit: All traffic between clients and TraceLayer servers is encrypted using TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS. HSTS is enforced in production.

At rest: Database volumes and object storage (evidence files, reports) are encrypted at rest using AES-256 via the underlying cloud provider.

Credentials: Integration credentials (API keys, tokens) are encrypted with Fernet symmetric encryption before being stored. The encryption key is stored separately from the database and rotated periodically. User passwords are hashed with bcrypt and never stored in plaintext.

Multi-factor authentication is enforced for all TraceLayer production systems. Access is granted on a least-privilege basis — engineers only access the systems required for their role.

Customer data is strictly isolated by company. Our multi-tenant architecture ensures one customer's data can never be accessed by another, enforced at both the application layer (JWT claims + row-level checks) and the database layer.

Access to production databases requires VPN and is limited to a small team of senior engineers. All access is logged and reviewed quarterly.

All material user actions — logins, integration connections, data exports, permission changes, and admin operations — are written to an append-only audit log retained for 2 years. Customers can access their own audit log from the TraceLayer dashboard.

Infrastructure metrics and API errors are monitored 24/7 via Sentry and Railway's observability tooling. Anomaly alerts are routed to our on-call rotation. Error events are scrubbed of PII before being sent to monitoring providers.

In the event of a confirmed personal data breach, TraceLayer will:

• Notify affected customers within 72 hours of becoming aware of the breach, meeting GDPR Article 33 requirements
• Provide a written incident report detailing the nature of the breach, data affected, likely consequences, and remediation steps taken
• Cooperate with supervisory authorities and customers during any investigation

All incidents are tracked in a private incident register with root-cause analysis and follow-up actions documented.

Dependency scanning: All backend and frontend dependencies are monitored for known CVEs using automated tooling. Critical vulnerabilities are patched within 24 hours; high-severity within 7 days.

Penetration testing: TraceLayer conducts annual third-party penetration tests. Findings are triaged by severity and remediated according to our patch SLAs.

OWASP Top 10: Code reviews include security checks for injection, broken authentication, XSS, insecure deserialization, and other OWASP Top 10 risks.

All employees and contractors with access to production systems undergo background checks and sign confidentiality agreements before their first day. Security awareness training is conducted annually and upon onboarding.

Access is revoked immediately upon offboarding. We maintain a clear acceptable-use policy and enforce device management (screen lock, disk encryption) on all devices used to access production systems.