Security & Trust

Infrastructure

Aura runs on Google Cloud Platform. EU data residency (Frankfurt, eu-west3) is available on Enterprise plans for customers requiring data to remain within EU borders.

Tenant isolation

Every customer gets a fully isolated environment:

• Dedicated database — no shared tables, no co-mingled data
• Dedicated infrastructure — isolated compute and storage resources
• Dedicated encryption keys — each tenant’s data is encrypted with its own key

There is no multi-tenant data layer. One customer’s environment cannot access another’s, by design.

Encryption

• At rest: AES-256 encryption for all stored data, managed through Google Cloud KMS with per-tenant keys
• In transit: TLS 1.2+ enforced on all connections — API calls, browser sessions, and inter-service communication

Data retention

DPP compliance data is retained for a minimum of 10 years, aligned with the retention requirements in the EU Ecodesign for Sustainable Products Regulation (ESPR). Retention policies are applied automatically at the platform level. Customers do not need to manage archival or lifecycle rules.

Cryptographic trust

Every Digital Product Passport issued by Aura is cryptographically signed and independently verifiable:

• W3C Verifiable Credentials — DPPs are issued as standards-compliant credentials
• Ed25519 digital signatures — each credential is signed with a tamper-evident signature
• DID:web identifiers — issuers are identified using decentralised identifiers resolvable over HTTPS
• Tamper-evident records — any modification to a signed credential invalidates the signature

Third parties — regulators, auditors, trading partners — can verify the authenticity of any DPP without contacting Aura.

GDPR compliance

Data controller: Trackvision AI Ltd, registered in England and Wales.

Aura is built with privacy by design:

• Data minimisation — the platform collects only the data required for DPP compliance
• Purpose limitation — data is processed solely for the purposes described in our Privacy Policy
• Right to erasure — users can request deletion of personal data in accordance with GDPR Article 17
• Data processing agreements — available on request for all customers

For full details, see our Privacy Policy and Terms & Conditions.

Open standards

Aura stores all data in standards-compliant formats. There is no vendor lock-in:

• GS1 Digital Link — product identifiers and resolver infrastructure
• W3C Verifiable Credentials — credential issuance and verification
• ESPR / EPRS framework — regulatory data categories and compliance structures

Your data is portable. It can be exported, verified, and consumed by any standards-compliant system.

Infrastructure certifications

Aura runs on Google Cloud Platform. Each customer environment is a dedicated, isolated GCP project. Google Cloud’s infrastructure certifications apply to every Aura deployment:

• SOC 1 / SOC 2 / SOC 3 — independently audited controls for security, availability, and confidentiality
• ISO 27001 — information security management
• ISO 27017 — cloud-specific security controls
• ISO 27018 — protection of personal data in the cloud
• ISO 27701 — privacy information management (GDPR-aligned)
• CSA STAR — Cloud Security Alliance assessment

Full details: Google Cloud compliance

AI and data privacy

Your data is yours. It is never shared, sold, or used to train AI models.

• No model training on customer data — your product data, supplier documents, and compliance records are never used to train, fine-tune, or improve any AI model, ours or third-party
• No cross-tenant data access — AI models operate within your isolated environment only. One customer’s data never influences another’s results
• No data sharing with AI providers — when Aura uses third-party AI services for document extraction or research, your data is processed under strict data processing agreements with zero-retention policies. No provider retains or trains on your inputs.
• Audit trail — every AI-generated output is logged with the model, prompt, and timestamp so you can trace any decision

Authentication and access control

• Role-based access control (RBAC) — permissions are scoped by role (admin, editor, viewer) at the organisation level
• Audit logging — all platform actions are logged with user, timestamp, and action detail
• Secure authentication — industry-standard authentication with support for SSO integration

Security testing

• Monthly penetration testing — third-party security assessments conducted every month against the platform and infrastructure
• Vulnerability disclosure — if you discover a security issue, report it to hello@trackvision.app. We acknowledge all reports within 48 hours and provide resolution timelines within 5 business days.

Data portability and business continuity

All data in Aura is stored in open, standards-compliant formats (GS1 Digital Link, W3C Verifiable Credentials, EPRS JSON). You can export your complete dataset at any time via the platform or API.

• No lock-in — your data is yours and portable to any standards-compliant system
• Bulk export — full product catalogue, supplier records, compliance data, and signed credentials available for download at any time
• Business continuity — in the event of service discontinuation, all customers will receive a minimum of 90 days notice and full access to export their data before any systems are decommissioned

Disaster recovery

• Automated backups — all customer data is backed up continuously
• Cross-region replication — backups are replicated across Google Cloud regions for resilience
• Recovery targets — Recovery Point Objective (RPO) under 1 hour, Recovery Time Objective (RTO) under 4 hours

Data Processing Agreement

A summary of our Data Processing Agreement is available at /dpa/. Full DPAs are provided to all customers on Growth and Enterprise plans.

Contact

For security inquiries, vulnerability reports, or to request a Data Processing Agreement, contact hello@trackvision.app.