Security · OnTrackio

What you'd ask the auditor

The current state of every framework we touch, updated as the clocks advance. No "in progress" hand-waving.

Standard	Status	Evidence available
GDPR	Implemented	DPA · RoPA · DSAR pipeline · Sub-processor list · Right-to-erasure
NIS2 Article 21 + 23	Evidence pack live	Coverage taxonomy doc · Quarterly regulatory update brief
SOC 2 Type II	Clock not yet started	Controls in place; observation window targeted H2 2026
ISO 27001	Targeted H2 2026	Policy set + control mapping ready for auditor
DORA / AI Act	Evidence packs (Enterprise tier)	Article-scope documents; see contract for inclusions

Where your data lives

Frankfurt, Germany. All customer data in AWS eu-central-1. No US fallback, no cross-region replication outside the EU.
Encryption. TLS 1.2+ in transit (1.3 negotiated where supported). AES-256 at rest on RDS via AWS KMS. Customer-managed keys (BYO-KMS) available on Enterprise.
Database-per-tenant. Every customer gets a physically isolated PostgreSQL database via stancl/tenancy. Cross-tenant leaks aren't a category of bug we can introduce by accident.
Backups. Encrypted RDS snapshots daily, retained 14 days on Business, 30 days on Enterprise. Frankfurt-resident; not copied cross-region.

Identity & access

SSO. Google Workspace, Microsoft Entra ID, and generic SAML 2.0, configured per tenant, with allowed-domain enforcement and named-collaborator bypass.
MFA. TOTP + WebAuthn passkeys. Org policy enforces MFA for admins, all users, or specific roles. SAML SSO falls back to local TOTP when the IdP's MFA assertion is missing.
SCIM 2.0. Joiner, mover, and leaver provisioning from Okta and Entra. Group-to-role mapping with audit-logged automatic grant and revoke.
Admin IP allowlist. Per-tenant CIDR list on /admin/*. Per-API-token CIDR for machine integrations.

GDPR posture

We're a data processor for tenant data and a data controller for our own marketing pipeline. The split is documented in the DPA.

Article 5, 6, 12–22, 25, 32, 33, 34 implemented: lawfulness, transparency, data subject rights, privacy by design, security of processing, and breach notification.
DPA available on day one. Request from privacy@ontrackio.com.
DSAR pipeline. Email privacy@ontrackio.com; statutory 30-day response per Article 12(3).
Right to erasure (Article 17) implemented as pseudonymisation rather than hard delete, so your audit trail stays intact per EDPB Guidelines 04/2025.
Article 30 RoPA maintained internally; customer-facing extract available on request.

What our NIS2 pack covers

We map your asset and identity state to Article 21 sub-controls (a–j) and the Article 23 24-hour incident-notification workflow. Every claim is labelled with its evidence class:

itam_native_evidence: ITAM data is the primary proof (asset inventory, MFA enrolment rate).
itam_hygiene_floor: ITAM provides the baseline; you still need policy work on top.
itam_proxy: adjacent evidence; a real GRC system gives stronger coverage.
outside_itam_scope: we don't help here. Vanta, Drata, and AuditBoard do.

Compliance is still your responsibility as data controller. We hand you the evidence, not the legal attestation.

Who else touches your data

Per GDPR Article 28(2). Material changes get 30 days' notice before they take effect.

Vendor	Purpose	Region	DPA
Amazon Web Services (AWS)	Compute, database, object storage, KMS, CDN, DNS	eu-central-1 (Frankfurt)	View →
Cal.com	Demo call scheduling	EU instance	View →
Amazon SES	Transactional email delivery	eu-central-1 (Frankfurt)	View →
Stripe	Billing + tax calculation	Ireland (EU)	View →

Vulnerability disclosure

Email security@ontrackio.com. We acknowledge within one business day. 90-day coordinated disclosure, extendable on request. Hall-of-fame credit on request.

Privacy & DSAR

Email privacy@ontrackio.com for data-subject requests, DPA copies, or the sub-processor list. Statutory 30-day response per Article 12(3).

Security and compliance