trace
Trace

Security

This page summarizes how Trace protects account access, saved research, public sharing, AI processing, and operational workflows.

Last updated: June 2, 2026

Security Approach

Trace is designed to protect the research memory teams build inside the product. We focus on account security, workspace access controls, secure infrastructure providers, careful handling of AI processing, and operational monitoring.

Account Access

  • Authentication is handled through Supabase Auth and supported identity providers.
  • User sessions are scoped to authenticated requests, and private app routes require account access.
  • Workspace content is intended to be accessible only to authorized users and invited team members.

Saved Research and Storage

  • Saved sources, notes, extracted facts, summaries, embeddings, projects, and briefs are stored in managed database infrastructure.
  • Application routes enforce ownership and workspace checks before returning saved content.
  • Public share links are treated as intentionally shared content and should be revoked when access is no longer desired.

AI and Processing Providers

Trace sends saved content or prompts to AI providers only when needed for features such as summaries, extracted facts, embeddings, semantic search, and briefs. Billing data is handled by a payment provider, and full card numbers are not stored by Trace.

Operational Controls

  • Server routes validate required configuration and protect privileged service-role operations.
  • Queue processing uses a worker secret in production to prevent unauthenticated processing calls.
  • Plan limits are enforced before expensive AI workflows run, which helps reduce abuse and runaway processing.
  • Logs and diagnostics are used to monitor reliability, investigate failures, and respond to suspicious activity.

User Responsibilities

  • Use strong passwords or trusted single sign-on providers for account access.
  • Invite only authorized teammates to a workspace.
  • Review public share links before sending them outside your organization.
  • Do not save secrets, credentials, payment card numbers, health data, or other highly sensitive regulated data unless Trace has agreed in writing to support that use case.

Reporting Issues

If you believe you have found a security issue, send a clear report with reproduction steps, affected URLs, and impact. Please avoid accessing, modifying, deleting, or sharing data that does not belong to you while testing.

Limitations

No internet service can guarantee perfect security. We will continue improving Trace's controls as the product, infrastructure, and threat model evolve.

Questions about this page can be sent to support@traceit.space.