Tracelight
Trust center

One page. Everything you need.

Security, privacy, compliance, and disclosure — consolidated in one navigable hub for buyers + security teams.

Security architecture
Encryption at rest + in transit, RLS-enforced workspace isolation, AES-256-GCM secret encryption at the application layer, strict CSP + HSTS + frame-DENY headers on every response.
Read the security page
Privacy policy
What we collect, how we use it, what we share. GDPR-friendly, CCPA-compliant, plain-English. Includes data-subject rights walkthrough.
Read the privacy policy
Vulnerability disclosure
RFC 9116-compliant disclosure policy at /.well-known/security.txt. Coordinated-disclosure friendly. Acknowledged within 1 business day.
Read security.txt
Terms of service
Acceptable use, billing, AI report disclaimers, jurisdictional posture (FL). Standard SaaS terms; no surprises.
Read the terms

Compliance posture

GDPR (EU + UK)
Compliant
Per-subject DSAR export endpoint, configurable retention with auto-purge cron, right-to-erasure via subject deletion (cascades), data-processing addendum available on request.
FCRA (US, employment + credit)
Aware + supportive
Tracelight is a tool, not a CRA — your organization remains the reporter. Product enforces consent capture before generating FCRA-flagged reports + ships pre-built adverse-action notice templates + audit-logs every viewer/download.
CCPA / CPRA (California)
Compliant
Same DSAR + erasure capabilities as GDPR. We do not sell personal information.
SOC 2 Type II
On the roadmap
Architecture is SOC 2-ready (encryption, RLS, audit logging, no shared infra). Formal audit timing depends on enterprise customer demand. See /roadmap.
HIPAA
Not in scope
Tracelight is not designed to handle PHI. If your investigative use case involves PHI, contact us before signing — we'll discuss whether a custom contract makes sense.

Sub-processors

Third-party services Tracelight uses to deliver the product. Each is SOC 2 Type II audited.

Vercel
Web hosting + edge CDN
US-East primary, global edge
Supabase
Postgres database + Auth + Storage
US-East
Anthropic
Claude API for narrative generation + NL→SQL
US, no data retention or training
Stripe
Payment processing
Global
Resend
Transactional email
US-East
Various OSINT providers
Worker data sources (HIBP, Hunter, Dehashed, Shodan, etc.)
Per-provider

Need a custom DPA / BAA / NDA?

Email legal@trytracelight.com with your security team's requirements. We respond within one business day.