Trust Center

Our compliance posture — in plain numbers.

Last updated 2026-04-24

This page tracks every regulation, certification, and document we can be asked about in a B2B procurement review. We list what is ready, what is in progress, what is planned, and what we have explicitly decided is not applicable. No "coming soon" without a date.

Privacy + data protection

Privacy Policy

ready

Multi-jurisdictional, EU/UK/Swiss/CA/BR/CA-QC/AU/JP/KR

Cookie Policy

ready

First-party only, strict + prefs; GPC-honored

Subprocessor List + 30-day notice

ready

Public page + change log + email to billing contacts

DPA template (EU SCCs + UK Addendum + Swiss + CCPA)

ready

Operational summary live; signed PDF on request

Acceptable Use Policy

ready

OT + AI-specific provisions

Accessibility Statement (WCAG 2.1 AA)

ready

EAA-aligned public statement

SLA

ready

Team 99.9 / Business 99.95 / Scale 99.99 with credit schedule

DPO appointment (outsourced)

planned

Engaging DataGuard / Proliance / Heuking DPO services

Records of Processing (Art. 30)

in progress

Internal register; shared on auditor request

DPIA for AI-agent observability

in progress

Draft; review before GA

CAIQ response (short-form)

ready

Public at /legal/caiq — 15 control groups, 40+ answers

Security frameworks

CAIQ v4 self-assessment

ready

Short-form live at /legal/caiq; full workbook under NDA on request

CSA STAR Level 1

planned

Unlocked by publishing CAIQ

SOC 2 Type I

planned

Tooling: Vanta/Drata; audit end of month 3

SOC 2 Type II

planned

6-month observation window starting month 3

ISO 27001 + 27017 + 27018

planned

Year-2 engagement if EU enterprise pipeline warrants

HIPAA + BAA

not applicable

Conditional on healthcare prospect

PCI DSS

not applicable

Not applicable — no card data touches Sutrace

Annual third-party penetration test

planned

Cure53 / NCC / Bishop Fox / Doyensec — first test month 3

Bug-bounty program

in progress

Private, via security@sutrace.io; HackerOne after SOC 2 II

Sector + critical-infrastructure

EU NIS2 — customer support

ready

24h incident-notification commitment in security addendum

EU DORA — ICT TPP addendum

in progress

Template ready; incorporated on FS-sector contracts

EU AI Act — deployer-support posture

ready

Positioned as Art. 12 logging + Art. 14 oversight support tool

IEC 62443 — alignment statement

planned

Public one-pager mapping our controls to 62443-3-3 levels

NERC CIP-013 supply-chain response

planned

Questionnaire template ready for US utility prospects

CMMC / FedRAMP

not applicable

Deferred — no US federal pipeline

Export controls + sanctions

OFAC + EU sanctions screening at signup

in progress

Blocks embargoed jurisdictions at the gateway

ECCN self-classification (5D002.c.1 / ENC)

ready

Memo on file; MSA representations added

Sanctions + export reps in MSA

ready

Included in template; customer countersignature required

Document + audit artefacts

  • Privacy Policy — /legal/privacy
  • Cookie Policy — /legal/cookies
  • Subprocessor List — /legal/subprocessors
  • Data Processing Addendum (operational summary) — /legal/dpa
  • Acceptable Use Policy — /legal/aup
  • Accessibility Statement — /legal/accessibility
  • SLA — /legal/sla
  • Security overview — /legal/security
  • Terms of Service / MSA — /legal/terms

For copies under NDA (SOC 2 report once issued, pen-test summary, CAIQ): email trust@sutrace.io. Response within two business days.

How to read this page

  • Ready — the artefact exists, is authoritative, and we will provide it on request.
  • In progress — actively being produced; we can share a draft under NDA on request.
  • Planned — a scheduled investment; we can share the plan and timing.
  • Not applicable — explicitly out of scope for a B2B observability SaaS with our customer profile; we can explain why if asked.