Security
How we protect investigation data.
Tracelight handles sensitive PII — subjects, evidence, reports, audit trails. The architecture is built for that from the ground up.
Encryption in transit
All connections terminated by Vercel's edge network with TLS 1.3 (TLS 1.2 minimum). HSTS preload-eligible header on every response (max-age=63072000; includeSubDomains; preload).
Encryption at rest
Postgres data encrypted at rest by Supabase infrastructure (AES-256). Long-lived third-party tokens (Slack OAuth bot tokens, etc.) re-encrypted at the application layer with AES-256-GCM and a key separate from the database.
Workspace isolation
Every workspace-scoped table has Row-Level Security (RLS) policies enforced at the database level. Cross-workspace queries return zero rows even from compromised application code — defense in depth, not just app-layer checks.
Audit logging
Every report viewer + download recorded. Every API call recorded. Every admin action recorded. Logs retained per workspace for the full retention window (default 90 days; configurable).
Defensible work product
Every claim in a generated report links to its evidence row, which links to the raw API response that produced it. Reproducible months later for depositions, audits, or DSAR requests.
Strict outbound controls
User-controlled webhooks (Slack, Discord, Teams, Zapier) are SSRF-guarded — DNS-resolved private IPs and link-local addresses are blocked at dispatch time. Cron endpoints are Bearer-only with constant-time comparison.
Security headers on every response
Every page + API route ships with the following headers. They're configured statically in next.config.ts, not optional middleware.
Strict-Transport-Securitymax-age=63072000; includeSubDomains; preload
Forces HTTPS for two years on the apex + every subdomain. Preload-eligible: once submitted to the HSTS preload list, browsers refuse HTTP entirely.
Content-Security-Policydefault-src 'self'; script-src 'self' 'unsafe-inline' (allowlisted vendors); object-src 'none'; frame-ancestors 'none'; …
Blocks all script + style + media sources except self and an explicit allowlist (Stripe, Anthropic, Resend tracking pixel, Vercel Analytics, HubSpot Forms). frame-ancestors none prevents click-jacking.
X-Frame-OptionsDENY
Belt + suspenders for click-jacking, alongside CSP frame-ancestors.
X-Content-Type-Optionsnosniff
Prevents browsers from MIME-sniffing untrusted content.
Referrer-Policystrict-origin-when-cross-origin
Outbound links don't leak full URL paths to third parties.
Permissions-Policycamera=(), microphone=(), geolocation=(), interest-cohort=()
Tracelight doesn't need any of these powerful APIs. Disabling them per RFC explicitly is good hygiene.
Operations
- ▸Hosted on Vercel (US-East primary, global edge for static assets) with Supabase as the database. Both vendors are SOC 2 Type II audited.
- ▸Daily automated database backups; nightly snapshot to a separate Supabase project. Recovery point objective: 24 hours.
- ▸Service-role secrets stored in Vercel encrypted environment variables; rotated on key compromise.
- ▸Dependency scanning on every install. Ongoing: critical vulns patched within 24 hours of disclosure; high within 7 days.
- ▸Cron-driven retention purge: subjects, evidence, reports, monitors, alerts auto-deleted at the workspace's configured retention window (default 90 days).
- ▸Audit log entries are immutable from application code (insert-only RLS policy).
Compliance posture
- ▸FCRA-aware: consent capture is enforced in the report-generation flow before producing any FCRA-flagged work product. Pre-built adverse-action notice templates included.
- ▸GDPR-friendly: per-subject DSAR export endpoints in JSON format. Per-workspace retention controls. Right-to-erasure executed by deleting the subject (cascades to all related evidence + monitors + alerts).
- ▸SOC 2 Type II: on the 2026 roadmap once customer demand justifies the audit cost. Current architecture is SOC 2-ready — encryption, RLS, audit logging, no shared infra.
Found a vulnerability?
Email security@trytracelight.com. We'll acknowledge within 1 business day and work with you on a coordinated disclosure timeline. Bug bounty program coming when we're bigger; for now, credit + swag is the best we can offer.
Machine-readable disclosure policy: /.well-known/security.txt(RFC 9116).