Security — Traciqo

Security is foundational to an authentication platform. This page describes the technical and organisational measures we use to protect data on Traciqo, and is written to be accurate about where we are today.

An honest note on certifications. Traciqo's controls are designed to align with the UK/EU GDPR and with the SOC 2 and ISO/IEC 27001 frameworks. We are not yet independently certified or audited against SOC 2 Type II or ISO/IEC 27001. "Ready" means our architecture and practices are built toward those standards; it does not claim a completed audit. We will update this page if and when formal attestations are obtained.

Tenant isolation

Each business customer is provisioned a separate, isolated workspace with its own database. Customer data is not commingled across tenants, and logins are scoped so that one tenant cannot access another's data or the platform's administrative master site.

Encryption

In transit: Traffic to the platform is served over HTTPS/TLS.
At rest: Sensitive secrets — including API secrets, stored SMTP credentials, and payment-provider keys — are stored encrypted rather than in plain text.

Access control & authentication

Role-based access controls govern what each user can see and do within a workspace.
Client and end-user logins are separated from administrative access; clients cannot log in to the platform's master/admin site.
API access uses per-business API keys and secrets, with separate credentials for live and sandbox environments.
Outbound webhooks are signed with an HMAC-SHA256 signature so that you can verify payload authenticity and integrity.

Payments

Payments are processed by Stripe. Traciqo does not store full payment card numbers; card data is handled by Stripe within their PCI-DSS-compliant environment.

Backups & resilience

Frequent incremental (binary log) backups capture changes throughout the day.
Daily off-site backups provide recovery points in the event of failure.
Backups are rotated on a defined retention schedule.

Fraud & counterfeit detection

The platform records scan events with device fingerprints, approximate geolocation, and anomaly signals. When a single code appears across many locations or devices in a way that suggests cloning, the system can flag the scan as anomalous — helping brands detect potential counterfeiting.

Hosting

Traciqo is hosted on Oracle Cloud Infrastructure. Infrastructure and network controls are managed in line with cloud security best practices.

Data protection

Our handling of personal data, sub-processors, international transfers, and data-subject rights is described in our Privacy Policy. We support data access, correction, and deletion requests as required by the UK GDPR and Data Protection Act 2018.

Responsible disclosure

If you believe you have found a security vulnerability, please report it responsibly to [email protected]. Please give us reasonable time to investigate and remediate before any public disclosure, and do not access or modify data that is not yours while testing.

Roadmap

We are continually strengthening our security program. Planned work includes formal SOC 2 Type II and ISO/IEC 27001 readiness assessments, expanded logging and monitoring, and a published sub-processor change-notification process. This page will be updated as milestones are reached.

Contact

Security and privacy enquiries: [email protected].