How Trace Handles Your Data

How Trace protects customer code, secrets, and findings — and what's covered by our Trust Center for compliance evidence.

Trace scans source code, dependencies, and cloud configuration — some of the most sensitive data your engineering org has. This page covers the protections Trace applies to that data.

For compliance attestations, audit reports, and policies, visit our Trust Center.

Core principles

  • Your code is treated as sensitive. Source code is the most sensitive asset most engineering teams have. Trace works with it only for the duration of a scan and never repurposes it for anything else.
  • Customer data is never used to train models. Trace's contracts with our LLM providers prohibit training on customer content, and the models we use are configured for zero data retention.
  • Least privilege everywhere. From the GitHub App permissions Trace requests to the cross-account roles you grant for cloud integrations, every credential is scoped to the minimum surface needed to do the work.
  • Encryption end-to-end. All data is encrypted in transit (TLS 1.2+) and at rest, and secrets and credentials are stored in a managed secret store with restricted access.
  • Org-scoped isolation. Every customer's data lives behind an organization boundary enforced at the database layer, not just the application layer. Trace cannot accidentally show one customer another customer's findings.

Your code

Trace clones repositories into isolated, ephemeral environments for the duration of a scan and discards them afterwards. We don't keep long-lived mirrors of your code. What persists is the set of findings the engines produce, with just enough context (a small code snippet at the affected location) to make each finding actionable — never your full source.

Secrets we discover

When the Secrets engine identifies a credential, the raw value is treated as the most sensitive piece of data in the platform. It's never shown in logs, notifications, or audit trails — only in your dashboard, only to users in your organization who have permission to view it. Any verification probes against upstream providers are read-only.

Cloud data

For cloud integrations (AWS, Vercel), Trace inventories your resources and relationships using read-only access. We can list and describe; we cannot modify. Sensitive resource details are summarized and sanitized before being persisted — Trace doesn't warehouse raw provider responses.

Access on Trace's side

Internal access to customer data is restricted and audited. Trace engineers can access customer data only when required for troubleshooting, only with the customer's permission for anything beyond aggregate diagnostics, and every access is logged. The full access policy and the audit controls behind it are documented in the Trust Center.

Compliance posture

Trace's compliance status, certifications, audit reports, subprocessor list, and policies are maintained at our Trust Center. Reach out to the Trace team for NDA-gated artifacts.

For privacy policy, terms of service, and data-processing agreements:

Cloud Integrations

Connect AWS and Vercel to Trace for cloud asset inventory and security analysis. More providers coming soon.

Access Control

SSO, SCIM, role-based access, and audit logs for managing who can see and act on your security findings.

On this page

Core principlesYour codeSecrets we discoverCloud dataAccess on Trace's sideCompliance posturePrivacy and legal