Security you can hand to your CISO.

Premtrace runs exclusively on infrastructure located in Switzerland and the European Economic Area. Production workloads run in isolated, hardened environments with no shared compute with external tenants outside our provider’s platform boundaries.

• Primary hosting: backend compute and database in Frankfurt (EU). Website and static assets served from Vercel’s EU edge network.
• Network isolation: the database is reachable only from the application services over a private network. No public database endpoints.
• No US-only dependency in the data path: every sub-processor handling client or covered-employee data operates under Swiss or EU jurisdiction, or under EU Standard Contractual Clauses with equivalent safeguards.

• In transit: every connection — client browser to platform, platform to upstream sources, administrator access — is encrypted with TLS 1.2 or above using modern cipher suites. HSTS is enabled on all public endpoints.
• At rest: client data, verification results and generated reports are stored on block-level AES-256-encrypted volumes. Report PDFs written to disk are encrypted at rest and purged according to configured retention.
• Secrets management: API keys, database credentials and third-party tokens live in a managed secrets vault, injected at runtime and rotated on a documented schedule. No secret is ever committed to source control.

• Administrative access: production admin access is limited to a named list of Premtrace personnel, protected by strong authentication and scope-restricted API keys. Access is logged and reviewed quarterly.
• Client access: each client organisation operates within its own tenant boundary. Cycles, findings and reports are isolated at the database layer by client identifier and enforced on every query path.
• Least privilege: service accounts used by background workers hold only the permissions their specific task requires. Read-only analytics and export paths are kept separate from write paths.
• No client passwords stored in the clear. Where passwords are used, they are hashed with a modern key-derivation function (bcrypt / argon2). Passwordless and SSO options are available on request.

Premtrace operates on a principle of minimum-necessary data. We collect only what is required to identify a covered employee (full name, professional role, employer) and to return the verification result to the client.

• Public sources only: verification cycles draw exclusively on publicly accessible information. We do not access password-protected content, private social-media accounts, or data brokers.
• No sensitive categories sought: we do not search for data on health, religion, sexual orientation or political opinion. Findings that incidentally surface such data are flagged and handled under the heightened protection of nFADP Art. 5(c).
• Retention: verification records are retained for the period stated in the Data Processing Agreement, with a default ceiling of five years. Clients can configure shorter retention or request deletion at any time.
• Deletion: on termination, client data is deleted within 30 days across primary and backup systems. A certificate of deletion is available on request.

• Dependency hygiene: dependencies are pinned and audited. Critical advisories are reviewed within one business day; high-severity within five.
• Input validation: every inbound request is validated at the route boundary. Parameterised queries are used for all database access — no raw string interpolation.
• Content isolation: the admin interface enforces strict Content Security Policies. Reports rendered for review are sandboxed so no active content can execute.
• Change control: production changes require code review and must pass automated checks before deployment. A rollback path is maintained for every release.
• Logging: application and access logs are retained for operational monitoring and incident investigation. Logs do not contain verification findings, only metadata.

Premtrace operates a documented incident-response procedure. In the event of a confirmed data breach affecting client or covered-employee data, we will:

• Notify affected clients without undue delay, and in any case within 72 hours of becoming aware of the breach, consistent with nFADP Art. 24 and GDPR Art. 33.
• Provide a preliminary incident report covering scope, affected data categories, containment actions and recommended remediation.
• Cooperate with the Federal Data Protection and Information Commissioner (FDPIC) and any competent EU supervisory authority.
• Publish a post-incident review to affected clients with root cause and corrective measures within 30 days of containment.

To report an incident or a suspected vulnerability, contact security@premtrace.ch. Reports can be sent in the clear; please include reproduction steps and the affected components.

• All personnel with access to production data have signed confidentiality agreements and completed data-protection training aligned with nFADP and GDPR requirements.
• Access is granted on a need-to-know basis and revoked immediately on role change or departure.
• Background checks are performed on personnel with administrative access, in line with Swiss employment law.
• Premtrace does not outsource verification analysis or any covered-employee-facing operations to third parties outside the EEA or Switzerland.

We rely on a small, vetted set of sub-processors, each bound by a Data Processing Agreement with obligations equivalent to our own.

We give 30 days’ notice before adding or materially changing a sub-processor. Clients may object in writing and, where no reasonable alternative exists, terminate for convenience.

• Backups: databases are backed up daily with point-in-time recovery. Backups are encrypted and stored in a geographically distinct EU region.
• Restore testing: restore procedures are exercised quarterly.
• Target RPO / RTO: 24-hour recovery point objective and 8-hour recovery time objective for production services.
• Data portability: clients can export their verification records in a structured format (CSV / PDF bundle) at any time.

Premtrace is an early-stage Swiss company. We publish our security posture honestly rather than overstate it.

• In place today: Data Processing Agreement aligned with the nFADP and GDPR Art. 28; internal information-security policy; documented incident-response runbook; encrypted infrastructure hosted under Swiss and EU jurisdiction.
• In progress: ISO/IEC 27001 alignment — gap analysis completed; target certification within 18 months of our first enterprise contract.
• On request: responses to security questionnaires (CAIQ, SIG Lite), architecture diagrams under NDA, sub-processor list and DPA can be shared with prospective enterprise clients.

If you believe you have found a security vulnerability, please email security@premtrace.ch. We commit to:

• Acknowledging your report within 2 business days.
• Providing an initial assessment within 5 business days.
• Keeping you informed of remediation progress and crediting you in our release notes if you wish.
• Not pursuing legal action against researchers acting in good faith, avoiding privacy violations and giving us a reasonable window to remediate before public disclosure.