Tracer is Committed to Data Security

SOC 2 Type 2 Audit

Reflecting our commitment to providing best-in-industry security practices and building on the trust of our customers, Tracer completes annual SOC 2 Type 2 audits.

These rigorous independent audits, based on the AICPA’s Trust Service Criteria, test the operating effectiveness of our systems as they relate to security, processing integrity, confidentiality, and privacy.  Successfully completing a SOC 2 Type 2 audit provides our customers with the assurance that an independent assessment has confirmed our ability to keep their data secure and meet the requirements of applicable privacy laws.  The audit reports include a description of our trust services and controls, as well as the auditors’ opinion on the suitability of the design and operating effectiveness of our security and confidentiality practices.

Independent Data Security Assessment

Tracer has also undertaken an independent assessment of its privacy and security safeguards over the data we collect on behalf of our global customers.  Not only is the protection of personal data required by an increasing number of countries and jurisdictions, but we believe that conducting this deeper analysis of our internal controls further demonstrates our commitment to protecting our customers.

EU-US and Swiss-US Data Privacy Framework

Tracer has certified to the U.S. Department of Commerce that it adheres  to the EU-US and Swiss-US Data Privacy Framework Principles with regarding the collection, use, and retention of any personal information from European Union member countries and Switzerland.  To learn more about the Data Privacy Framework program, and to view Tracer’s certification, please visit https://www.dataprivacyframework.gov/s.

Vulnerability Policy

Scope

The following describes Tracer’s systematic way to address vulnerabilities and when we resolve security bugs in our products. 

Security bug fix Service Level Objectives

Tracer sets service level objectives for fixing security vulnerabilities based on the vulnerability rank. Resources like the Common Vulnerabilities and Exposures (or similar) could be utilized when appropriate to aid in answering the above questions.  

RankDescriptionFix Timeline (Business Days)
Critical

Vulnerabilities that score in the critical range usually have most of the following characteristics:

  • Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
  • Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.
5 days
High

Vulnerabilities that score in the high range usually have some of the following characteristics:

  • The vulnerability is difficult to exploit.
  • Exploitation could result in elevated privileges.
  • Exploitation could result in a significant data loss or downtime.
10 days
Medium

Vulnerabilities that score in the medium range usually have some of the following characteristics:

  • Exploits that require an attacker to reside on the same local network as the victim.
  • Vulnerabilities where exploitation provides only very limited access.
  • Vulnerabilities that require user privileges for successful exploitation.
20 days
LowVulnerabilities in the low range typically have very little impact on an organization’s business. Exploitation of such vulnerabilities usually requires local or physical system access.60 days

Non-critical vulnerabilities

When a security issue of Medium or Low severity is discovered, Tracer will aim to release a fix within the timeline objectives listed above. In certain circumstances Tracer may, however, defer addressing the fix based on available resources and company objectives. 

Future Updates

We will continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page.