Auditor-grade trust. Small-shop simple.
You hold the data that keeps buildings legal. We treat it that way. SOC 2 Type II, encrypted end-to-end, region-pinned, and exportable whenever you want it.
Three promises.
Your data is yours.
One-click CSV export of every record — customers, sites, devices, signed reports, invoices. Forever, no hostage pricing. If you leave, you walk out with everything you walked in with — plus everything you built here.
Nothing leaves a trace.
Every read, every edit, every export is logged with who, when, where, and what. Your audit trail is a real audit trail — signed, timestamped, tamper-evident — not a best-effort event log.
Reports are locked.
A signed report gets a SHA-256 hash and a chain-of-custody receipt. Six months later, the city can verify it hasn't been altered. That's the "lock" in TraceLock.
The full security posture.
In flight, at rest, every byte.
TLS 1.3 minimum on every request. AES-256-GCM for data at rest. Per-tenant key wrapping means a compromise of one customer's key never touches another's data.
- TLS 1.3 enforced; weak ciphers disabled
- AES-256-GCM at rest · per-tenant KEK
- Signed PDF hashes in a separate store
- HSTS preload · HPKP on API origin
- Quarterly key rotation · 30-day overlap
- Zero-knowledge mobile sync key
Least-privilege by default.
Role-based permissions across owners, admins, dispatchers, technicians, and read-only auditors. SSO via SAML, OIDC, Google Workspace, or Microsoft 365. SCIM provisioning for teams with >50 seats.
- SSO: SAML 2.0, OIDC, Google, MS 365
- SCIM provisioning & deprovisioning
- Enforced MFA per role
- Granular module permissions
- Session length + IP allow-list per tenant
- Staff access requires customer approval
Pick your region. We honour it.
Your tenant is pinned to one of US-East, US-West, Canada-Central, or EU-West at creation — and it stays there. No hidden replication to a fifth region. Customer data never leaves the region for processing.
- US · CA · EU data regions
- Pinned at tenant creation, no silent migration
- No cross-region replication
- Regional sub-processors only
- Right-to-delete, right-to-export
- GDPR + PIPEDA compliant by default
Point-in-time recovery to any minute, 30 days back.
Transaction log streaming to immutable object storage in a second region (same residency zone). RPO 60 seconds, RTO 30 minutes. We test restores monthly and publish the result on the status page.
- Continuous log streaming
- 30-day point-in-time recovery
- Immutable backup storage · WORM
- RPO 60s · RTO 30m
- Monthly restore tests · published
- Customer-initiated snapshot export
What we've signed our name to.
Independent auditors, real paperwork. Reports available under NDA.
2
SOC 2 Type II
Annual audit · 12-month observation · report under NDA
27001
ISO/IEC 27001
Information security management system · certified
HIPAA Ready
For healthcare-campus inspection workflows · BAA available
GDPR / PIPEDA
Data processor agreements · EU-West residency available
NFPA 10 / 25 / 72 aligned
Report templates & retention to code
CSA B44 / B149
Canadian code templates built-in
CCPA
California residents: deletion & export in one click
TEST
Annual pen test
Third-party offensive security · summary available
Last 6 months of status.
If it moved, we wrote it down. Live status at status.tracelock.tech.
Scheduled · Database failover drill (EU-West)
Quarterly drill, no customer impact. Primary promoted to standby and back inside the maintenance window. Scheduled
Resolved · Elevated PDF export latency (US-East)
22 minutes of delayed PDF generation during a burst of year-start reports. Backpressure added, workers auto-scale from 4→16 now. No data affected. Resolved
Resolved · Mobile sync queue stall (<1% of devices)
iOS 17.3 changed a background-task guarantee. 94 devices had queued inspections sync 4–6 hours late; all data delivered, nothing lost. Fixed in app version 4.12.2. Resolved
Resolved · SSO outage (Google OAuth-side)
Upstream provider had a 14-minute OAuth outage. Customers using username/password login were unaffected. Resolved
Resolved · Canada-Central region maintenance
Database upgrade 02:00–02:14 UTC, within the posted window. Resolved
Do your diligence. Ask us anything.
We ship real paperwork, not marketing. Request the SOC 2 Type II report, the pen-test summary, the BAA, the data-processing agreement — whatever your review needs.