GDPR
ActiveEU General Data Protection Regulation. Privacy Policy published, data subject rights documented, lawful basis defined for each processing activity.
Compliant since launch
TRUST & SECURITY
Security and transparency, by design.
TradeHox builds AI infrastructure for regulated, audit-sensitive industries. Here’s exactly how we handle your data, what we’re committed to, and where we are on our compliance roadmap.
- Zero-trust data model
- TLS 1.3 + encryption at rest
- Self-hosted or cloud
- SOC 2 Type I — Q3 2026
COMPLIANCE STATUS
Where we are. Where we're going.
We believe transparency about compliance is more valuable than vague promises. Here's our actual status.
DPDP Act 2023
ActiveIndia's Digital Personal Data Protection Act. Consent-based processing, data principal rights enabled, breach notification protocols documented.
Compliant since launch
SOC 2 Type I
In progressService Organization Control Type I audit. Security controls assessment by independent auditor. Pre-audit gap analysis starting July 2026.
Target: Q3 2026
SOC 2 Type II
PlannedOperational effectiveness audit over a 6–12 month observation period. Required for most enterprise sales above $500K ARR.
Target: Q2 2027
ISO 27001
PlannedInternational information security management standard. Planned after SOC 2 Type II completion.
Target: 2028
HIPAA
Available on requestFor healthcare-adjacent engagements. Business Associate Agreement available on request. Custom security review required per engagement.
Per-engagement
SECURITY POSTURE
Defense in depth, across every layer.
- TLS 1.3 for all data in transit
- AES-256 encryption at rest
- Encrypted database backups
- Key management via cloud provider HSMs (AWS KMS / GCP KMS)
- No customer data in client-side logs
DATA LIFECYCLE
How your data moves through our systems.
- 01
Collection
- We collect only what we need to deliver services
- Contact form data and engagement-related operational data
- No tracking pixels, no cookies, no fingerprinting
- 02
Transit
- TLS 1.3 encryption end-to-end
- No data transmitted over insecure channels
- Certificate pinning on critical endpoints
- 03
Storage
- AES-256 encryption at rest
- Geographic data residency (US / EU / Singapore configurable)
- Encrypted backups stored in separate region
- 04
Processing
- Data access logged at decision-level
- LLM providers configured with zero data retention
- Customer data never used for model training
- Per-engagement isolation — no cross-client data leakage
- 05
Disposal
- Active engagement data deleted within 30 days of contract end
- 7-year financial record retention per legal requirements
- Hard deletion confirmed via cryptographic proof on request
SUBPROCESSORS
Every vendor that touches your data.
We use carefully selected service providers. Here's the complete list, what they do, where they're located, and their compliance status.
| Subprocessor | Purpose | Data processed | Location | Compliance |
|---|---|---|---|---|
| Vercel | Web hosting + edge functions | Contact form submissions, page visits | USA (primary), global edge | SOC 2 Type II, ISO 27001 |
| Supabase | Database + authentication | Application data, user records | Configurable (US / EU / Singapore) | SOC 2 Type II |
| Resend | Transactional email | Email addresses, message content | USA | SOC 2 Type II, GDPR-compliant |
| Cal.com | Calendar booking | Names, emails, meeting details | USA (open source — self-hostable) | GDPR-compliant |
| Plausible Analytics | Privacy-first website analytics | Anonymous, aggregated page metrics only | EU (Germany) | GDPR, CCPA, PECR |
| OpenAI | LLM inference (client deployments) | Per-engagement only, isolated by client Zero data retention configured | USA | SOC 2 Type II, GDPR |
| Anthropic | LLM inference (client deployments) | Per-engagement only, isolated by client Zero data retention configured | USA | SOC 2 Type II, ISO 27001, GDPR |
| Pinecone | Vector database (per-engagement deployments) | Per-engagement only | Configurable | SOC 2 Type II, HIPAA |
We notify customers 30 days before adding any new subprocessor. Questions? [email protected]
INCIDENT RESPONSE
When things go wrong.
Security incidents happen. What matters is how they're handled. Here's our protocol.
Detection
- 24/7 automated monitoring across all infrastructure
- Anomaly detection on access patterns, error rates, and traffic
- Customer-reportable channel: [email protected]
Response
- Initial triage within 1 hour of detection
- Customer notification within 24 hours of confirmed breach
- Affected systems isolated immediately
- Forensic logs preserved for analysis
Remediation
- Root cause analysis within 72 hours
- Public post-mortem for material incidents
- Customer-specific remediation plans
- Compensation per SLA terms if applicable
Disclosure
- Regulatory notification within mandatory timeframes (GDPR 72h, DPDP Act 72h)
- Customer notification with technical details
- Public disclosure for systemic issues
- No NDA pressure to suppress incidents
RESPONSIBLE DISCLOSURE
Found a security issue? We want to hear from you.
TradeHox welcomes responsible security disclosure from researchers and customers.
Send vulnerability reports to:
[email protected]PGP key: tradehox.com/.well-known/pgp-key.asc (coming Q3 2026)
What to include
- Description of the vulnerability
- Steps to reproduce
- Impact assessment
- Your contact information
We commit to
- Acknowledge receipt within 24 hours
- Initial assessment within 72 hours
- No legal action against good-faith researchers
- Public credit (if desired) after fix is deployed
- Bug bounty for critical issues — program details Q4 2026
Out of scope
- Social engineering attacks
- Physical access attacks
- DoS / DDoS
- Third-party services we don't control
QUESTIONS ABOUT TRUST?
Security questionnaires welcome.
We’ve completed enterprise security reviews before. Send your questionnaire or request our standard responses document — typically turned around within 2 business days.