BetaTraceback is in public beta. Expect rough edges. Remaining features rolling out throughout May.Read the beta notice
Security

How we keep your data safe.

What we do today, what we're working on, and what you can ask us to clarify before you trust us with a workspace.

Compliance

We don't have SOC 2 yet.

Step 01 · TodayActive

Foundations

What's already in place. Encrypted at rest and in transit, scoped credentials, audit logs, hardened auth through Clerk.

  • Clerk auth (SOC 2 Type II)
  • Encryption everywhere
  • Audit logs
  • Vendor-reviewed providers
Step 02 · NextNext

SOC 2 Type II

Active work. Controls are implemented and being evidenced. We'll share the report with prospects under NDA when it's ready.

  • Policies finalized
  • Continuous monitoring
  • Annual external audit
  • Customer-facing trust report
Step 03 · After SOC 2Future

ISO 27001 and HIPAA

On the roadmap once SOC 2 attestation lands. HIPAA available earlier on enterprise plans if you need a BAA.

  • ISO 27001 scoping
  • HIPAA BAA on request
  • Regional data residency
  • Pen-test cadence published

We're an early-stage company building toward enterprise-grade compliance. If your security team needs documentation before approving a vendor, email security@traceback.cc and we'll send what we have today.

What we do today

The practices already in place.

Infrastructure

Traceback runs on Vercel and Railway. Production data lives in managed databases with daily backups. Every region we use is SOC 2 compliant at the provider level.

Encryption

Data in transit is encrypted with TLS. Data at rest is encrypted by our hosting providers. Test artifacts sit in object storage with the same encryption guarantee.

Authentication

Authentication runs through Clerk, which is SOC 2 Type II certified. We support email and password, Google, and GitHub. Workspace owners can enforce SSO across the team.

Secrets

Customer credentials supplied to runs are stored encrypted, scoped to the runs that need them, and never logged in plaintext or surfaced in test definitions.

Monitoring

We page on infrastructure failures around the clock. Suspicious authentication patterns trigger alerts to the security team.

AI providers

Inference runs through providers under agreements that prohibit training on customer data. No prompts or outputs are retained beyond the request lifetime.

Vulnerability disclosure

Found something? Tell us first.

We respond to security reports within one business day and aim to fix critical issues within seven. We don't have a paid bounty program yet, but we publicly credit researchers who report responsibly.

security@traceback.cc
Need more?

Vendor reviews and DPAs.

We'll fill out a security questionnaire, walk your team through our architecture, sign a DPA, or hop on a call. Pre-SOC 2 we lean on transparency over paperwork.

Get in touch