How your data is protected.

TLS 1.3 from Cloudflare edge → Firebase Hosting → Firestore/Cloud Storage. HSTS preloaded on sutrace.io. Public-key pinning via Cloudflare managed-certs with automatic renewal.

Firestore + Cloud Storage use Google-managed keys by default (AES-256, FIPS 140-2 validated KMS). Customer-managed keys (CMEK) available on Scale plan via Google Cloud KMS — bring your own key material.

• Customer access: per-user Firestore security rules (every read + write is authorised against the signed-in user + workspace membership).
• Admin access: hard-coded 4-email allowlist in lib/admin.ts, synchronised into Firestore rules via CI-enforced marker blocks; no path to admin without being on the allowlist.
• Internal engineering access: SSO + MFA + just-in-time approval; production access is not granted by default.
• Session: 60-minute rolling auth tokens; inactivity logout after 120 min on dashboard.

Google reCAPTCHA Enterprise via Firebase App Check attests every Firestore / Auth / Storage call from the browser. Cloudflare provides L3/L4 DDoS mitigation + WAF. Sanctions screening (OFAC, EU, UK) runs at signup; matches are blocked.

• No SSH into production. No VPN into production.
• All compute is serverless (Firebase Hosting for static export; Firestore + Cloud Functions as needed).
• No public ingress to internal services. Admin surface isolated on admin.sutrace.io with independent auth guard.
• Per-workspace logical isolation enforced by Firestore security rules + App Check; no shared mutable state between tenants.

Every protocol adapter runs an on-host filter chain before egress: protocol-specific parser → field-level redaction rules → prompt/payload tokenisation (for AI agents) → sampling → batch + compress + mTLS. By default we never exfiltrate raw PLC register values, LLM prompts / completions, HTTP request/response bodies > 1 KB, user-identifying log fields (email, IP, session), or camera frames. See the product doc at /admin/strategy/03-protocols-and-detection for the full chain.

• Authentication events (sign-in, sign-out, MFA challenge, password reset) logged 30 days.
• Admin-plane events logged indefinitely (every config change, every allowlist mutation).
• Firestore read/write count per workspace logged for rate-limit enforcement + anomaly alerting.
• Cloudflare edge logs (request path, status, IP) 30 days rolling.

• Dependabot / pnpm audit on every PR; high + critical CVEs blocked in CI.
• Security patches applied within 7 days (critical), 30 days (high), 90 days (medium).
• Annual third-party penetration test; findings fixed before report is shared externally.
• Private responsible-disclosure channel: security@sutrace.io. 24h acknowledgement.

• Every change lands via PR with type-check + smoke test in CI.
• Secret scanning on every commit; no .env.local in git (CI blocks).
• Firestore rules are generated from source-of-truth code (lib/admin.ts → firestore.rules between BEGIN/END markers); drift fails CI.
• Admin allowlist is version-controlled and auditable via git log.

24/7 on-call rotation with a severity-tiered runbook. P1 = service-affecting for >10% of customers: initial update in 15 min, hourly thereafter, RCA within 5 business days. Personal-data breaches: customer notification within 72 hours of confirmation per our DPA. Industrial-customer incidents involving NIS2-designated entities: we support your 24h significant-incident notification.

Firestore daily export to a separate project; semi-annual restore drill. Regional failure RTO 4 h / RPO 24 h. The status page is hosted off our primary infrastructure so it stays visible when we don’t.

Email security@sutrace.io with technical detail + proof-of-concept. We acknowledge within 24 hours, target 30-day fix for confirmed vulnerabilities. Authorised testing against your own workspace is welcome; testing against other tenants is not. We do not pursue legal action against good-faith researchers.