Security, Privacy, and Data Persistence
How Traceable protects your product passport data. Transparent about what we have today and what's on the roadmap.
Infrastructure
Production-grade infrastructure designed for regulated compliance data from day one.
Cloud Hosting
EU OnlyHosted on EU cloud infrastructure (Ireland). All data stays within the European Union.
Encryption
ActiveTLS 1.3 in transit. AES-256 at rest. Database connections encrypted end-to-end.
Backups
DailyAutomated daily backups with 30-day retention. Point-in-time recovery capability.
Uptime
99.9%99.9% uptime target. Status page available for real-time monitoring.
View status page →Access Security
ActiveOTP-authenticated access — no password databases. Row-level security enforced at database layer. Rate-limited API via distributed caching.
Audit Trail
ActiveImmutable audit log — every data mutation timestamped and attributed. Full traceability of who changed what and when.
Data Handling
Your product passport data is legally sensitive compliance information. We treat it accordingly.
Data Ownership
You own your data. Always. Traceable is a processor, not an owner. We never sell, share, or use your product data for any purpose other than delivering the service.
Data Portability
Export your complete passport data at any time in JSON-LD, CSV, or PDF format. No lock-in. If you leave, your data leaves with you.
Data Retention
Published product passports remain accessible for the regulatory minimum period (currently 10 years for battery passports per Regulation 2023/1542). Even if your subscription lapses, published passports remain accessible to end users and market surveillance authorities.
GDPR
Traceable is GDPR-compliant by design. Product passports contain product data, not personal data. Any personal data (user accounts, contact details) is processed under strict GDPR guidelines with a clear legal basis.
What We Have Today vs. What's Coming
We believe trust requires honesty. Here is an accurate picture of our security posture — what is live, what is planned, and what we are still evaluating.
| Feature | Status | Detail |
|---|---|---|
| TLS 1.3 / HTTPS | Live | All connections encrypted |
| AES-256 at rest | Live | Database and file storage |
| EU cloud hosting | Live | Ireland, European Union |
| Daily backups | Live | 30-day retention |
| Role-based access | Live | Admin, Editor, Viewer roles |
| GDPR compliance | Live | DPA available on request |
| 10-year DPP retention | Live | Per Battery Regulation requirement |
| Immutable audit log | Live | Every data mutation timestamped and attributed |
| OTP authentication | Live | No password databases — all access via one-time codes |
| Row-level security | Live | Enforced at database layer, not application layer |
| Rate-limited API | Live | Distributed rate limiting on all endpoints |
| Penetration testing | Planned H1 2026 | Third-party pentest scheduled |
| SOC 2 Type II | Planned Q4 2026 | Audit process begins when ARR threshold reached |
| ISO 27001 | Planned 2027 | Certification targeted after SOC 2 |
| Bug bounty program | Evaluating | Under consideration |
| EU DPP Service Provider Certification | In Preparation | Preparing for certification under forthcoming ESPR delegated act |
Compliance and Legal
The legal framework governing how we handle your data.
Data Processing Agreement
Available on request for all paid plans. Standard contractual clauses included.
Request DPA →Terms of Service
Clear terms governing platform usage, data rights, and service commitments.
Read terms →Regulatory Alignment
Traceable is built around the regulations that define DPP requirements. Every template, data model, and compliance check maps directly to published legislation.
ESPR Regulation 2024/1781
Templates and compliance architecture aligned with the Ecodesign for Sustainable Products Regulation framework. Compliance scoring tracks all ESPR-mandated fields separately.
EU Battery Regulation 2023/1542, Annex XIII
111-field LMT battery template, 98-field EV battery template, and 96-field Industrial battery template — all pre-mapped to Annex XIII mandatory and recommended data requirements.
Aligned with CIRPASS-2 DPP Architecture
Traceable follows the DPP architecture being developed by the CIRPASS-2 consortium — GS1 Digital Link identifiers, JSON-LD structured data output, and standards-compliant resolver infrastructure.
EU DPP Service Provider Certification — In Preparation
Traceable is preparing for EU DPP Service Provider certification under the forthcoming ESPR delegated act on service provider requirements. This is a forward-looking commitment — the delegated act is not yet finalised.
Security and Trust FAQ
All data is hosted exclusively in EU data centres (Dublin, Ireland) within the European Union. No product data, user data, or backup data is stored outside the EU at any time. Database instances, object storage, and CDN origin servers are all located in the Ireland region. This satisfies GDPR Article 44 requirements on international data transfers by keeping all processing within the European Economic Area.
Data at rest is encrypted with AES-256, the encryption standard approved by NIST (FIPS 197) and recommended by ENISA for sensitive data protection. Data in transit uses TLS 1.3 exclusively — older protocols (TLS 1.0, 1.1, 1.2) are disabled. Database connections between application servers and the relational database use encrypted channels enforced at the connection level. File uploads in object storage use server-side encryption with provider-managed keys (AES-256).
Yes. Digital Product Passports contain product data, not personal data, so GDPR Article 6 processing restrictions do not apply to passport content. Any personal data we process — user accounts, contact details, billing information — is handled under GDPR Article 6(1)(b) (contractual necessity) and Article 6(1)(f) (legitimate interest). We offer a Data Processing Agreement compliant with GDPR Article 28 on request, maintain a public subprocessor list per Article 28(2), and support data subject rights including access (Article 15), rectification (Article 16), erasure (Article 17), and portability (Article 20).
Not yet. We are transparent about this. SOC 2 Type II audit is planned for Q4 2026 and ISO 27001 certification is targeted for 2027. Today, we implement production-grade security controls: AES-256 encryption at rest, TLS 1.3 in transit, OTP-authenticated access with no password database, immutable audit logging on all data mutations, row-level security enforced at the database layer, rate-limited APIs with abuse detection, role-based access control, automated daily backups with 30-day retention, and EU-only data hosting.
Traceable conducts application-level security testing on every release. Independent third-party penetration testing is scheduled for Q3 2026 and will be performed by a CREST-accredited provider covering OWASP Top 10 (2021 edition), API security per OWASP API Security Top 10, authentication bypass, authorisation escalation, and injection attacks. Results and remediation timelines will be available under NDA to enterprise customers upon request.
Traceable maintains a documented incident response plan aligned with NIST SP 800-61 Rev. 2 (Computer Security Incident Handling Guide). Security incidents are classified by severity (P1 through P4). P1 incidents — confirmed data breach or service compromise — trigger notification to affected customers within 72 hours as required by GDPR Article 33, immediate containment and forensic investigation, and a published post-incident report within 14 days. All incidents are logged with root cause analysis and remediation actions regardless of severity.
Questions about security or compliance?
Get in touch. We are happy to discuss our security posture, provide a Data Processing Agreement, or walk through our infrastructure in detail.