The security posture, stated in prose.
A procurement reviewer should be able to read this page once and decide whether to forward it to legal. No compliance-logo wall. No shield icons. No "trust center" framing. The five sections below cover what a security questionnaire asks first.
SOC 2
Traceo is pursuing SOC 2 Type II. The Type I observation window opens in Q3 2026 with a target audit close of Q1 2027; Type II observation begins immediately after. Until the report is available we offer a security questionnaire pre-filled against the CAIQ v4.0 lite framework on request — email security@traceo.cat. We will not claim compliance we do not yet have.
Hosting
Production runs on AWS in eu-west-1 (Ireland) with a warm-standby in eu-central-1 (Frankfurt). Database backups are encrypted with customer-scoped keys and retained for 35 days. The status page at status.traceo.cat reports availability, scheduled maintenance, and incident timelines without redaction.
Data residency
Customer data — requirements, baselines, links, audit log, comments — lives in the customer's primary region and never leaves it. Operational metadata (account email, billing, sign-in metadata) sits in eu-west-1. Telemetry on the marketing surface is isolated from the product surface; no requirement content is read by any analytics provider, ever. Self-hosted deployments keep customer data inside the customer's perimeter.
Encryption
TLS 1.3 in transit on every public surface; TLS 1.2 minimum on internal service mesh. AES-256 at rest on the database, on object storage, and on the audit log archive. Database encryption keys are AWS KMS-managed with a 365-day rotation cadence; customer-managed keys (BYOK) are available on the Regulated tier. Backups carry the same encryption posture as primary storage.
Access controls
Authentication is email + magic link or SAML / OIDC SSO on the Team and Regulated tiers, with WebAuthn second factor optional on every tier. The role model is three roles (Admin · Editor · Reviewer) with workspace-scoped permissions. The append-only audit log retains every state change with actor, timestamp, and reason for seven years. Support staff access to customer data is request-and-approval only, time-boxed, and recorded in the same audit log the customer reads.
Procurement reviewers and security teams: email security@traceo.cat. We answer within one business day with the questionnaire, the latest posture statement, and a calendar link for a live walkthrough.
Compliance posture.
Traceo is built for procurement-grade audits. Every state change carries an actor, a timestamp, and a reason. Every baseline is content-addressed and deterministically diffable. Every requirement link is typed, redundantly encoded (color, glyph, label), and survives colorblind review.
WCAG 2.2 AA strict, including data visualization. Verified against deuteranopia, protanopia, and tritanopia simulations on every state color. The traceability graph exposes a parallel ARIA tree as its accessibility path; the canvas is not the only road through the data.
No third-party analytics in the product surface. No telemetry on requirement content. Self-hostable. Audit logs are append-only and exportable in their original schema, not a reformatted summary.
- WCAG 2.2 AA
- Append-only audit log
- Self-hostable
- MCP-native