Privacy Policy

TrustTrace is an AI security posture management platform that helps organizations assess the security of their AI agent deployments, MCP server configurations, and agentic AI infrastructure. We can be reached at hello@trusttrace.io.

We collect the minimum data needed to operate our platform. We do not sell your data. We do not use your uploaded configurations or assessment inputs to train machine learning models. Uploaded scan files are deleted after your scan completes.

Account Information. Email address and profile information. Authentication is handled by Clerk (clerk.com). We do not store your password.

Scan Configurations. MCP server configuration files and agent configuration artifacts you upload. These files are:

• Processed in an isolated environment
• Deleted after your scan completes
• Never used to train machine learning models
• Never shared with third parties except as required to operate the scan (e.g. vulnerability lookups against OSV.dev)

Scan Results. Findings, scores, and recommendations stored in your account. Delete them at any time from account settings.

Payment Information. Handled by Stripe (stripe.com). We do not store your credit card number or CVV.

Usage Data. Standard web analytics. Not linked to your identity for advertising purposes.

If you engage TrustTrace for a managed assessment:

• Assessment inputs are handled under your executed MSA and NDA
• Artifacts retained 90 days post-engagement then deleted
• Healthcare clients require a BAA before sharing any PHI. Contact hello@trusttrace.io to request a BAA.

We use data to operate the platform, provide scan results, process payments, respond to support requests, and comply with legal obligations.

We do not use your data to train AI models, sell to advertisers, or share with third parties except as described below.

Service providers who help us operate the platform:

• Clerk, authentication
• Stripe, payment processing
• Render, cloud infrastructure (scan data processed here)
• Vercel, web hosting
• Google Workspace, email
• OSV.dev, vulnerability lookups (package names only)

We do not sell data to any third party.

• Uploaded scan configs: deleted after scan completes
• Scan results: until you delete them or close your account
• Account information: until you close your account
• Payment records: as required by law
• Managed assessment artifacts: 90 days post-engagement

You have the right to access, correct, delete, and export your data. Email hello@trusttrace.io. We respond within 30 days.

California (CCPA): We do not sell personal information. Contact hello@trusttrace.io for CCPA requests.

EU/UK (GDPR): Lawful basis is contract performance and legitimate interest. Contact hello@trusttrace.io for GDPR requests.

We implement TLS encryption in transit, encrypted storage at rest, access controls, and regular security reviews. We assess our own platform with our own tools.

No system is perfectly secure. Report vulnerabilities to hello@trusttrace.io. We respond within 48 hours.

We notify registered users of material changes by email 30 days before they take effect.

hello@trusttrace.io | trusttrace.io