Built for trust, by design
TraceAI processes sensitive hiring decisions. We treat security and data integrity as foundational requirements, not afterthoughts. This page describes how we protect your data, verify compliance evidence integrity, and meet regulatory expectations.
Data Handling
Infrastructure & Residency
All data is stored in Supabase-managed PostgreSQL within the EU/UK region. Application servers run on EU-hosted infrastructure. No customer data is transferred outside of the EU/UK unless explicitly configured by the customer.
Encryption at Rest
Database volumes use AES-256 encryption at rest. Supabase encrypts all stored data, backups, and WAL archives using industry-standard methods managed via the hosting provider’s KMS.
Encryption in Transit
All connections to the TraceAI API and dashboard are served over TLS 1.2+ (HTTPS). Internal service-to-database connections use encrypted channels. API keys are transmitted exclusively in HTTP headers, never in URLs or query parameters.
Retention Policies
Customers configure their own data retention period (or retain data indefinitely). When a retention window expires, records are permanently deleted via an automated cron process. Shared audit links expire independently from underlying decision data.
Deployment Options
Cloud (default)
All data stored in Supabase-managed PostgreSQL within the EU/UK region. Encrypted at rest with AES-256. No customer data transferred outside the EU/UK unless explicitly configured. SOC 2 Type II certification in progress.
Private cloud / VPC
Available for Enterprise customers from Q3 2026. Deploy TraceAI within your own AWS, Azure, or GCP infrastructure for complete data sovereignty. Your decision data never leaves your network.
On-premise
On our roadmap for Enterprise customers. Contact us to discuss requirements.
Authentication
Passwordless Login
Dashboard access uses Supabase Auth magic links — no passwords are stored or transmitted. Each magic link is single-use and time-limited.
Two-Factor Authentication (TOTP)
All dashboard users can enable TOTP-based two-factor authentication. Once enabled, a 6-digit code from an authenticator app is required on every login. TOTP secrets are stored server-side and never exposed to the client after initial setup.
SSO & Enterprise Auth
Enterprise customers can configure SAML-based single sign-on via Supabase Auth providers. Contact us to set up SSO for your organisation.
Session Management
Sessions are managed by Supabase Auth with secure, HTTP-only cookies. Sessions expire after inactivity and are invalidated on sign-out. API access uses scoped sk_live_ keys that can be rotated at any time from the dashboard.
Compliance Evidence Integrity
SHA-256 Hash Chain
Every decision record is cryptographically linked to the previous record via a SHA-256 hash chain. The hash is computed over: the previous record’s hash, the customer ID, decision type, canonically-serialised inputs and outputs, and the UTC timestamp. This produces an append-only chain where any modification to a prior record invalidates all subsequent hashes.
Canonical Serialisation
JSON fields are serialised with sorted keys (canonicalJson) before hashing, ensuring deterministic output regardless of key insertion order. Timestamps are normalised to UTC Z-suffix format.
Tamper Detection & Verification
The GET /v1/decisions/:id/verify endpoint recomputes the hash chain for any decision and its predecessors, returning a clear pass/fail result. Any altered record, timestamp, or field will cause verification to fail, providing an auditable proof of integrity.
Immutable by Design
Decision records cannot be updated or deleted through the API. The only write operation is append. Retention-based deletion is the sole path to removal, and it is logged.
Access Controls
Role-Based Access Control
Dashboard users are assigned one of three roles: Admin, Compliance Officer, or Viewer. Admins manage team members, API keys, and workspace settings. Compliance Officers access all audit data and exports. Viewers have read-only access to decisions.
Workspace Isolation
Every customer operates in an isolated workspace. PostgreSQL Row Level Security (RLS) policies enforce strict data isolation at the database layer — queries can never return data belonging to another customer, even in the event of an application-level bug.
API Key Scoping
API keys are prefixed sk_live_ and scoped to a single customer workspace. Keys authenticate both writes (logging decisions) and reads (querying/exporting). Keys can be rotated instantly from the dashboard with no downtime.
Rate Limiting
All API endpoints enforce per-key rate limits based on the customer’s plan tier (100–2,000 req/min). This protects against abuse and ensures fair resource allocation across tenants.
Compliance
GDPR Article 22 Alignment
TraceAI helps employers meet their obligations under GDPR Article 22 by logging the inputs, outputs, and rationale of automated hiring decisions. This provides the documentation needed to demonstrate meaningful human oversight and offer explanations to data subjects.
ICO Guidance Alignment
Our compliance evidence structure aligns with the UK Information Commissioner’s Office guidance on AI and automated decision-making, including requirements for transparency, explainability, and record-keeping.
Data Subject Rights
TraceAI supports data subject access requests (DSARs) through its export functionality. Customers can retrieve, filter, and export all decision records for a given candidate or time period in CSV format. Candidate-facing transparency pages can be shared via secure, time-limited links.
EU AI Act Readiness
High-risk AI systems used in employment require detailed logging and human oversight under the EU AI Act. TraceAI’s immutable compliance records, bias flagging, and confidence scoring are designed to support compliance with these emerging requirements.
Data Processing
Data Processing Agreement (DPA)
TraceAI provides a comprehensive Data Processing Agreement compliant with UK GDPR Article 28. The DPA covers all processing activities including decision metadata, pseudonymised identifiers, and audit trail data. It details our sub-processors, security measures, breach notification procedures, and data subject rights obligations.
Responsible Disclosure
If you believe you’ve found a security vulnerability in TraceAI, we encourage responsible disclosure. Please email us at:
We will acknowledge your report within two business days and aim to resolve confirmed vulnerabilities promptly. We ask that you avoid public disclosure until we’ve had a reasonable opportunity to investigate and remediate.
Last updated: March 2026. If you have questions about our security practices, contact security@gettraceai.com.