Tracuto security overview
Effective date: May 10, 2026 Legal bundle version: 2026-05-10
This page is the public security summary referenced from the DPA Schedule C and from the Privacy Policy. It is written for customers and counsel. We deliberately do not publish exact configurations, tooling, or numerical thresholds — that would weaken the protection itself. For an enterprise security questionnaire please write to [email protected].
1. Operator and contact
| Topic | Detail |
|---|---|
| Operator | KOHA-TECH Sp. z o.o. (trade name Tracuto), ul. Nowy Świat 33/13, 00-029 Warszawa, Poland · KRS 0001183713 · NIP 5253054129 · REGON 542256381 · Share capital PLN 5,000 |
| Security contact | [email protected] |
| Privacy contact | [email protected] |
| Legal correspondence | [email protected] |
2. Where data is processed
| Topic | Detail |
|---|---|
| Production processing | European Economic Area (currently in Germany). |
| Operational mail | A subprocessor with EU data centres, listed at /subprocessors. |
| Billing | Our payment processor (United States), under EU Standard Contractual Clauses (Module 2) and the UK Addendum / Swiss adaptation where applicable, listed at /subprocessors. |
We do not rely on a single adequacy decision as the only safeguard for transfers outside the EEA.
3. Authentication and account security
- Passwords are stored using industry-standard one-way hashing.
- Multi-factor authentication is enforced for all administrative access used by KOHA-TECH staff.
- Customer dashboards support federated login (e.g. Google OAuth 2.0).
- Authentication endpoints are rate-limited to mitigate credential stuffing and brute-force attempts.
- Session cookies are configured with secure attributes appropriate to the deployment, with sliding expiry.
- Password resets always return a uniform response to avoid account-existence enumeration; reset invalidates all sessions for the user.
4. Multi-tenant isolation
- The Service is multi-tenant with strict logical separation between organisations and projects; queries and caches are scoped by tenant identifier.
- Public ingest endpoints fail closed in production when project allow-lists are missing.
- Replay-asset retrieval validates outbound URLs against project-configured allow-lists, with mitigations against SSRF.
- Administrative actions (billing, deletion) require organisation-level ownership, not just user-level access.
5. Cryptography and transport
- TLS 1.2 or higher is enforced on all public traffic, with HSTS.
- Encryption at rest is enabled on the data volume that stores Customer Data and on backups.
- Webhook integrations with the payment processor are verified using signed payloads with idempotency keys.
6. Network and edge
- Traffic reaches the application through a managed CDN/WAF layer providing volumetric mitigation, TLS termination, and basic bot rules.
- Internal services are not reachable from the public internet.
- The application correctly reflects the real client IP behind the edge, for rate limiting and security analytics.
7. Logging, monitoring, alerting
- Application logs are retained 30 days rolling; PII is minimised in logs.
- Authentication and authorisation events are recorded with success / failure outcomes.
- Operational alerts are routed to a private channel monitored by KOHA-TECH staff, under a strict no-PII rule.
- Under exceptional load, the oldest Customer Data may be deleted earlier than the plan retention to maintain Service availability — disclosed in the Privacy Policy §5.
8. Backups and resilience
- Daily encrypted backups of the production database, retained for up to 30 days and overwritten on rotation.
- Restore drill at least quarterly; documented RTO and RPO.
- A disaster-recovery plan identifies an alternative region.
- Personal data inside backups is not indexed for individual deletion; deletion requests are honoured by expiring the backup, not by editing it.
9. Vendor management
The full list of subprocessors is at /subprocessors. Material changes are notified per the DPA §5 — currently 30 days’ prior notice with a right to object on data-protection grounds. Every new subprocessor goes through a documented vendor review (data flows, signed DPA, region check) before activation.
10. Personal-data breach response
- A documented runbook covers detection → containment → eradication → notification → post-mortem.
- Notification SLA to Customers: 48 hours from awareness, per DPA §4.
- Notification to UODO (Polish supervisory authority): 72 hours when Art. 33 GDPR applies.
- Public security contact: [email protected].
11. Reporting a vulnerability
If you believe you’ve found a security issue, please write to [email protected]. We acknowledge reports promptly and ask researchers to:
- avoid privacy violations and service disruption,
- give us reasonable time to remediate before public disclosure,
- not access data that is not yours.
We do not currently operate a paid bug-bounty program. We will publicly thank researchers who report responsibly (with permission).
12. Standards posture
- No certifications claimed today. Tracuto is not ISO 27001, SOC 2, HIPAA, or PCI certified, and we will not claim such certifications until they are formally in place.
- We work towards ISO/IEC 27001:2022 as the first formal milestone; SOC 2 Type II is planned afterwards.
- PCI scope: card data is not stored or processed by Tracuto — payments are handled exclusively by our payment processor.