Security at the Coreof EverythingWe Build.
Tracelet sits in the middle of some of your organisation's most sensitive interactions — across both engineering systems and business team data flows. We take that responsibility seriously, and we've built the platform accordingly. For the broader question of how we govern responsibly without becoming surveillance, see our Privacy & Responsible Governance page.
Architecture Security
Data Minimization by Design
The endpoint agent is built on a principle of evaluating content locally wherever possible. Policy decisions — including content classification — happen on the endpoint. Prompt content does not transit to our cloud infrastructure by default.
Encrypted in Transit and at Rest
All communication between endpoint agents and the central policy engine uses TLS 1.3. Audit logs and policy stores are encrypted at rest using AES-256. Encryption keys are customer-managed via AWS KMS, Azure Key Vault, or HashiCorp Vault.
Zero-Trust Network Architecture
Every internal service-to-service call within the Tracelet platform is authenticated and authorized. No component trusts another by default. Lateral movement within our infrastructure is architecturally constrained.
Access Controls
Role-Based Access Control (RBAC)
The Tracelet console enforces strict role separation. Security admins, compliance officers, and executive viewers each have precisely scoped access to the data relevant to their role. No shared credentials.
Multi-Factor Authentication
MFA is mandatory for all administrator access. SSO integration with your existing identity provider (Okta, Azure AD/Entra ID, Ping Identity) is supported and recommended for all enterprise tiers.
Audit Logs for the Platform Itself
Every action taken within the Tracelet console — policy change, configuration update, report export — is itself logged in an immutable audit trail. Answer 'who changed that policy and when' with a single query.
Deployment Options
SaaS (Cloud-Hosted)
Tracelet manages infrastructure, availability, and updates. Data is hosted in your preferred region. Suitable for most enterprise deployments with standard data residency requirements.
Private Cloud / VPC
For organizations with strict data sovereignty requirements, Tracelet can be deployed within your own cloud environment (AWS, Azure, GCP). You control the infrastructure. We provide the software.
Air-Gapped On-Premises
For regulated industries requiring complete data containment, a fully on-premises deployment option is available. No data leaves your environment. Licensing and update channels are the only external connections.
Our Security Posture
For Your Security Review Team
Our full security package — including architecture diagrams, penetration test executive summaries, sub-processor list, and DPA templates — is available under NDA for qualified enterprise prospects.