TRACEGov
Security & Trust Center

Security by Architecture, Not by Promise

TraceGov is built with security and compliance at the infrastructure level. Your data never leaves the EU. Every interaction is cryptographically verified. Every design decision prioritizes your data sovereignty.

GDPR Art. 25
Data protection by design
EU AI Act Ready
Deployer governance
eu-central-1
Frankfurt, Germany
SOC 2 Type II
In progress
ISO 27001
Aligned

How Your Data Flows

Every component runs in the EU. There are no exceptions.

Your Browser
Client
TLS 1.3
Frankfurt, DE
CloudFront CDN
eu-central-1
Amplify + Lambda
eu-central-1
AWS Bedrock
AI inference (Claude, Titan)
No model training on your data
eu-central-1
DynamoDB + Neo4j
14 tables + Knowledge Graph
AES-256 encrypted at rest
eu-central-1
Cognito + IAM
Auth, MFA, token rotation
Least-privilege access
All components: eu-central-1 (Frankfurt, Germany)

Six Security Pillars

Each pillar is enforced at the infrastructure level — not by policy documents.

EU Data Residency

Zero US data transfer. Zero CLOUD Act exposure.

All data is processed and stored exclusively in AWS Frankfurt (eu-central-1). This is enforced at the infrastructure level — IAM policies, VPC configuration, and service endpoints are locked to the EU region. No data leaves the EU, ever.

Merkle-Chain Audit Trail

Cryptographic proof of what happened and when.

Every AI interaction produces a SHA-256 hash-verified record. Each record chains to the previous via cryptographic linking, creating a tamper-evident evidence trail that any auditor or regulator can verify independently.

Encryption at Every Layer

AES-256 at rest. TLS 1.3 in transit. AWS KMS managed.

All data is encrypted using industry-standard algorithms managed through AWS Key Management Service. No plaintext storage of sensitive data at any point in the processing pipeline.

7-Year Evidence Retention

Meeting the most stringent regulatory requirements.

Audit trail records are retained for up to 7 years, satisfying the EU AI Act's record-keeping obligations (Article 12) and aligning with financial services regulatory retention requirements.

GDPR Article 25 Compliant

Data protection by design and by default.

TraceGov implements GDPR principles at the architectural level — not as an afterthought. Minimal data collection, purpose limitation, storage limitation, and cryptographically verified data deletion.

Zero Third-Party Data Sharing

Your data stays in your account. Period.

TraceGov never shares your data with third parties for training, analytics, or any other purpose. AI inference runs through AWS Bedrock EU Inference Profiles — your prompts and responses are never used to train foundation models.

Compliance & Regulatory Alignment

Built to satisfy the requirements of the most demanding regulatory frameworks.

EU AI Act

Ready

Art. 9 (Risk Management), Art. 12 (Record-Keeping), Art. 13 (Transparency), Art. 14 (Human Oversight), Art. 26 (Deployer Obligations)

GDPR

Compliant

Art. 5 (Principles), Art. 25 (By Design), Art. 28 (Processor), Art. 32 (Security), Art. 35 (DPIA), Art. 44-49 (Transfers)

NIS2 Directive

Aligned

Art. 21 (Cybersecurity Risk Management), Art. 23 (Incident Reporting)

DORA

Aligned

Art. 6 (ICT Risk Management), Art. 11 (Response & Recovery), Art. 28 (Third-Party Risk)

Infrastructure Stack

Complete transparency into every service that touches your data.

Compute

AWS Lambda
Serverless, auto-scaling, zero idle cost
eu-central-1
AWS Amplify
Frontend hosting with CI/CD
eu-central-1

AI & ML

AWS Bedrock
Claude, Titan — all EU-only
EU Inference Profiles
TRACE Engine
5-dimension scoring pipeline
eu-central-1
CERI Engine
Constraint injection at inference
eu-central-1

Data Storage

DynamoDB
14 tables, AES-256 encrypted
eu-central-1
Neo4j
Knowledge graph storage
eu-central-1
S3
Document storage, encrypted
eu-central-1

Identity & Access

AWS Cognito
MFA, JWT, secure token rotation
eu-central-1
IAM Policies
Least-privilege, role-based access
eu-central-1

Network & Delivery

CloudFront CDN
TLS 1.3 enforced
Global edge, EU origin
Route 53
DNS with DNSSEC-ready
Global
WAF
DDoS protection, rate limiting
eu-central-1

Payments

Stripe
PCI DSS Level 1 compliant
EU processing

Operational Security

Security is not just architecture — it's process, monitoring, and response.

Monitoring & Alerting

  • AWS CloudWatch for real-time infrastructure monitoring
  • Automated alerting for anomalous access patterns
  • Lambda function error tracking and auto-scaling
  • CDN performance and security event monitoring

Incident Response

  • Detection: automated, within minutes
  • Acknowledgment: within 1 hour
  • Containment: within 4 hours
  • Customer notification: within 24 hours
  • Post-incident review: within 72 hours

Access Control

  • Role-based access control (RBAC) for all services
  • Least-privilege IAM policies — no admin-by-default
  • MFA enforced for all infrastructure access
  • Audit logging for all administrative actions

Secure Development

  • Infrastructure as Code (AWS CDK / CloudFormation)
  • Automated dependency vulnerability scanning
  • Code review required for all production changes
  • Separate staging and production environments

Security FAQ

Where is my data stored?

Is my data used to train AI models?

How does the Merkle-chain audit trail work?

Can I export my audit trails for regulators?

What happens when I delete my account?

Do you have SOC 2 Type II certification?

How do you handle security incidents?

What sub-processors do you use?

Responsible Disclosure

Found a security vulnerability? We take security reports seriously and appreciate responsible disclosure from the security research community.

AcknowledgmentWithin 24 hours
First updateWithin 72 hours
ResolutionBased on severity assessment
Report a Vulnerability

Contact: security@tracegov.ai

Need More Detail?

We provide detailed security documentation, Data Processing Agreements, and sub-processor lists to enterprise customers and their security teams.

Request Security DocumentationStart Free — See It Yourself