1. Introduction
This Privacy Policy describes how Clerk Technologies, Inc., doing business as Trace ("Trace," "we," "us," or "our"), collects, uses, discloses, and protects personal information through our website at securewithtrace.com, our application at securewithtrace.com/dashboard, and related services (collectively, the "Service").
Trace is an AI-native application security platform providing static application security testing (SAST), software composition analysis (SCA), secrets scanning, and AI-assisted vulnerability management.
This Privacy Policy applies to all visitors to our website, users of our platform, and individuals whose personal data is processed through the Service on behalf of our customers.
2. Information We Collect
2.1 Information You Provide Directly
- Account information: Name, email address, and organizational role when you create an account or are provisioned via your organization's identity provider (SSO/SCIM through WorkOS).
- Communications: Any information you provide when you contact us for support, sales inquiries, or other communications.
2.2 Information Collected Through the Service
When your organization uses Trace to scan source code repositories, we process the following data on behalf of your organization (as a data processor):
- Source code from repositories explicitly authorized by your organization. Source code is processed transiently during scans and is not stored persistently.
- Git metadata, including commit history, author names and email addresses, branch names, and pull request metadata.
- Security findings generated by our scanning engines, including vulnerability details, severity, file location references, and remediation status.
- Secrets or credentials discovered during scanning, which are flagged as findings for remediation purposes only.
2.3 Information Collected Automatically
- Log data: IP address, browser type, operating system, referring URLs, and access timestamps when you visit our website or use the platform.
- Usage data: Feature usage patterns, scan frequency, and platform interaction data to improve the Service.
- Cookies and similar technologies: We use essential cookies for authentication and session management. See Section 8 for details.
3. How We Use Information
We use personal information for the following purposes:
- Providing, operating, and maintaining the Service, including authenticating users and delivering security scan results.
- Processing source code and generating security findings on behalf of your organization.
- Communicating with you about the Service, including responding to support requests and sending service-related notifications.
- Improving and developing the Service, including analyzing usage patterns and platform performance.
- Complying with legal obligations and enforcing our terms of service.
We do not use customer source code, security findings, or other customer data to train machine learning models or for any purpose other than providing the Service to the customer that authorized the data.
4. Legal Basis for Processing
Where applicable, we process personal information on the following legal bases:
- Contract performance: Processing necessary to provide the Service under our agreement with you or your organization.
- Legitimate interests: Processing necessary for our legitimate business interests, such as improving the Service, ensuring security, and communicating with users, where those interests are not overridden by your rights.
- Consent: Where you have provided consent for specific processing activities.
- Legal obligation: Processing necessary to comply with applicable laws.
When we process customer data (source code, scan findings, git metadata) on behalf of your organization, we act as a data processor under your organization's instructions. Your organization is the data controller for that data.
5. How We Share Information
We do not sell personal information. We share personal information only in the following circumstances.
5.1 Sub-processors and Service Providers
We use the following third-party service providers to operate the Service:
| Provider | Purpose |
|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, and compute (us-east-1, United States) |
| WorkOS | Authentication, SSO, SCIM directory sync, and user management |
| Vercel | Web application hosting and content delivery |
| GitHub | Source code repository integration and webhook delivery |
| Resend | Transactional email delivery |
| PostHog | Product analytics and usage tracking |
Each sub-processor is contractually obligated to protect personal information and to process it only as necessary to provide their service to us.
5.2 Other Disclosures
We may also disclose personal information to comply with applicable law or legal process; to protect the rights, property, or safety of Trace, our users, or others; or in connection with a merger, acquisition, or sale of assets, in which case you will be notified of any change in applicable privacy practices.
6. Data Retention
- Account data (name, email, role) is retained for the duration of the customer relationship and deleted upon account termination or customer request.
- Source code is processed transiently during scans and is not retained after scan completion.
- Security findings are retained for the duration of the customer relationship to enable vulnerability tracking and remediation workflows.
- Git metadata associated with findings is retained as long as the related findings are retained.
- Log data is retained for up to 30 days for security and operational purposes.
Upon termination of a customer agreement, we will delete or return all customer data in accordance with our contractual obligations and within a reasonable timeframe.
7. Data Security
We implement technical and organizational measures to protect personal information, including:
- Encryption of all data in transit using TLS 1.2 or higher.
- Encryption of all data at rest using AES-256 via AWS Key Management Service.
- Access to internal systems restricted via SSO (SAML 2.0) through Google Workspace with MFA enforced.
- All endpoints managed via MDM (Jamf Now) with full-disk encryption (FileVault) and remote wipe capability.
- Infrastructure defined and managed as code via AWS CDK, with all changes subject to peer review and CI/CD security scanning.
- Regular security scanning of our own codebase using Trace's SAST, SCA, and secrets detection engines.
For additional detail on our security practices, please contact us or refer to our security documentation.
8. Cookies and Tracking Technologies
We use strictly necessary cookies for authentication and session management. These cookies are required for the Service to function and cannot be disabled.
We use PostHog for product analytics to understand how the Service is used. PostHog is configured to collect aggregated usage data and is not used to serve advertisements or track users across third-party websites. We do not use third-party advertising cookies or tracking pixels.
9. Your Rights
Depending on your location, you may have the following rights regarding your personal information:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request that we correct inaccurate or incomplete information.
- Deletion: Request that we delete your personal information, subject to legal and contractual retention obligations.
- Portability: Request a copy of your data in a structured, commonly used format.
- Objection or restriction: Object to or request restriction of certain processing activities.
If your personal information is processed by Trace on behalf of your organization (e.g., your employer is a Trace customer), please direct your request to your organization. We will assist your organization in fulfilling your request in accordance with applicable law.
To exercise any of these rights directly, contact us at privacy@securewithtrace.com.
10. International Data Transfers
All customer data is stored and processed in the United States (AWS us-east-1). If you access the Service from outside the United States, your information will be transferred to and processed in the United States. We will ensure appropriate safeguards are in place for any international data transfers in accordance with applicable law, including Standard Contractual Clauses where required.
11. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website with a revised effective date. If the changes materially affect how we process personal information we have already collected, we will make reasonable efforts to notify affected users (e.g., by email or in-product notification).
13. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us at:
Clerk Technologies, Inc.
Email: privacy@securewithtrace.com
Website: securewithtrace.com