Segurança

Visão geral de segurança

Os Planos de Arranjo Geral contêm a estrutura do seu navio. É informação técnica sensível. Aqui está uma explicação clara de como a protegemos.

Última atualização: 23 de março de 2026

TLS 1.2+

Encrypted in transit

AES-256

Encrypted at rest

EU data residency

Servers hosted in the EU

Row-level isolation

Per-org data separation

MFA supported

Authenticator app or email

Audit logs

All access and changes recorded

72 h breach notice

GDPR Art. 33 compliant

DPA available

SCCs in place for EU customers

Infrastructure and Data Residency

Decktrace runs on managed cloud infrastructure hosted in the European Union (EU). We use established providers rather than self-hosting critical components:

  • Application and API — hosted in EU cloud regions with automatic TLS termination and edge-layer DDoS protection. Content is served via Amazon CloudFront CDN, which processes your IP address, browser type, and request timestamp to deliver responses efficiently and protect against volumetric attacks. Amazon CloudFront data processing details: aws.amazon.com/privacy
  • Database and file storage — managed database service in the EU with AES-256 encryption at rest, automated daily backups, and point-in-time recovery
  • Payments — Stripe handles all card processing (PCI DSS Level 1 certified). We never see or store card numbers
  • Transactional email — dedicated email delivery provider for account and billing notifications only
  • Analytics — Plausible Analytics, hosted in the EU, cookieless, collects no personal data and sets no tracking cookies

Where sub-processors are located outside the EU (for example, Stripe in the United States), we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission, or the EU-US Data Protection Framework where applicable, to ensure an equivalent level of protection. You may request copies of the SCCs we have in place by contacting hello@decktrace.io.

Encryption

In transit

All connections to Decktrace — the web application, API, and embeddable viewer — are served exclusively over HTTPS using TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS. Older protocols (TLS 1.0, 1.1, SSLv3) are disabled. HTTP Strict Transport Security (HSTS) headers enforce HTTPS for all subsequent visits.

At rest

Database records and uploaded GA plan files are encrypted at rest using AES-256. Encryption keys are managed by the infrastructure provider's key management service and are not accessible to application-level code.

Secrets and credentials

Service API keys and credentials are stored as encrypted environment variables, never in source code or version control. Credentials are rotated when team members with access leave the organization.

Authentication and Session Security

Account access is protected by the following controls:

  • Passwords are hashed using bcrypt with a per-user salt — we cannot recover your password and no plaintext is stored
  • Multi-factor authentication (MFA) is available for all accounts via a TOTP authenticator app or email one-time codes
  • Session tokens are rotated on every authentication event and expire after inactivity
  • Failed login attempts trigger rate limiting and temporary lockouts to prevent brute force
  • API keys are scoped per organization and can be revoked from your account settings at any time

Access Control and Data Isolation

Each organization on Decktrace sees only its own data. Isolation is enforced at the database level using Row Level Security (RLS) policies — not only at the application layer. Even in the presence of an application bug, database queries cannot return records belonging to another organization.

Within an organization, access is role-based. Roles determine who can upload GA plans, edit catalogs, manage API keys, invite members, and administer billing.

Our team accesses production data only when necessary to resolve a confirmed support issue, and only with audit logging active. We do not have standing read access to your vessel catalog content or uploaded files.

Application Security

Our development practices follow the OWASP Top 10 as a baseline:

  • All user input is validated and sanitized server-side before processing or storage
  • Database queries use parameterized statements, preventing SQL injection
  • Responses include Content Security Policy (CSP) headers and strict output encoding to prevent XSS
  • CSRF tokens are required on all state-changing requests
  • Security headers are set on all responses: HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy
  • Third-party dependencies are reviewed and updated regularly; known CVEs are patched within a defined SLA based on severity

Uploaded File Safety

GA plan files (PDFs and images) are processed in an isolated server environment. Before any processing occurs:

  • File type and MIME type are validated against an allowlist — only expected formats are accepted
  • File size limits prevent resource exhaustion attacks
  • Uploaded files are processed server-side; no file content is executed or interpreted as code
  • Stored files are kept in private cloud storage with no public URL access — retrieval requires a valid authenticated session or a signed URL with a defined expiry

The embeddable viewer renders catalog geometry from structured API data, not from the raw uploaded file. Your GA plan files are never exposed through the viewer.

Log Retention

We maintain two distinct categories of logs with different retention policies:

Server access logs

Web server access logs (IP address, request path, timestamp, browser) are retained for a maximum of 30 days, after which IP addresses are anonymized and logs are aggregated for infrastructure diagnostics only. These logs are never used for marketing or profiling purposes. Legal basis: Art. 6(1)(f) GDPR — legitimate interest in maintaining technically secure and error-free operation.

Application audit logs

Security-relevant events — sign-ins, catalog edits, file uploads, API key changes, role modifications — are retained for 12 months and are available for export by organization owners. These logs support accountability, incident investigation, and your own compliance requirements.

Audit and Activity Logs

Application audit logs capture:

  • Sign-ins and sign-outs, including IP address and device information
  • GA plan uploads and file deletions
  • Catalog edits: area creation, modification, and deletion, with the acting user recorded
  • API key creation and revocation
  • Role and membership changes
  • Admin access to production infrastructure by our operations team

Organization owners can request an audit log export. Logs are retained for 12 months.

Backup and Recovery

  • Daily database backups with point-in-time recovery capability
  • File storage replicated across availability zones within the EU
  • Recovery Point Objective (RPO): 24 hours
  • Recovery Time Objective (RTO): 4 hours for critical system restoration

We test recovery procedures periodically to confirm backups are functional and restoration times are within stated targets.

Maritime Data Sensitivity

GA plans describe the physical layout of vessels — structural compartments, safety equipment locations, access routes, and tank configurations. We treat this information accordingly:

  • No GA plan content is indexed by search engines or accessible without authentication
  • Share tokens for the embeddable viewer have configurable expiry and can be revoked at any time
  • Catalog exports are access-controlled and logged
  • We do not aggregate or analyze GA content across customer organizations

Customers with specific ISPS Code compliance requirements or vessels with sensitive classifications should contact us to discuss appropriate data handling arrangements.

Regulatory Alignment

  • GDPR (EU 2016/679) — We act as a data processor for customers with EU users. A Data Processing Agreement (DPA) is available on request. We notify affected controllers of confirmed personal data breaches within 72 hours of discovery, consistent with Article 33 obligations. International transfers to US sub-processors use SCCs or the EU-US Data Protection Framework
  • NIS2 Directive — The maritime sector is designated critical infrastructure under NIS2. We maintain incident response procedures and supply chain risk assessments to support customers' own NIS2 compliance
  • CCPA — We do not sell personal data. California residents may exercise their CCPA rights by contacting us

If you believe Decktrace has not addressed a privacy concern adequately, you have the right to lodge a complaint with the supervisory authority in your EU member state. A list of EU data protection authorities is maintained at edpb.europa.eu.

Security Assessments

We conduct internal security reviews on a quarterly basis covering dependency vulnerabilities, infrastructure configuration, and access control policies. We intend to commission independent third-party penetration testing and will make a summary of findings and remediation status available to customers on request under NDA.

We are evaluating SOC 2 Type II certification as we scale. Enterprise customers with specific compliance requirements are welcome to contact us to discuss assessments, questionnaires, or custom DPAs.

Incident Response

In the event of a confirmed security incident affecting customer data:

  • We contain the incident, revoke compromised credentials, and preserve evidence
  • We notify affected account holders and, where applicable, supervisory authorities within the timeframes required by law (72 hours for GDPR-covered incidents)
  • We provide a clear description of what happened, what data was involved, and what steps we have taken
  • We conduct a post-mortem and share a summary of corrective measures with affected customers

Account and Data Deletion

When you delete your account or your subscription ends and the 30-day export window closes, your active data — GA plan files, vessel catalog records, and user profiles — is permanently deleted. Encrypted backups are purged within a further 30 days. Deletion is irreversible.

Responsible Disclosure

We welcome reports from security researchers. If you discover a vulnerability in Decktrace, please report it to hello@decktrace.io with the subject line "Security Disclosure." We commit to:

  • Acknowledging your report within 5 business days
  • Keeping you informed as we investigate and remediate
  • Not pursuing legal action against researchers acting in good faith under coordinated disclosure

We ask that you avoid accessing data belonging to other organizations, do not disrupt service availability, and allow us reasonable time to address the issue before public disclosure.

Data Processing Agreement

If your organization processes personal data of EU residents through Decktrace, you may require a Data Processing Agreement (DPA) under GDPR Article 28. Contact hello@decktrace.io to request a DPA. We will also provide copies of the Standard Contractual Clauses in place with our US-based sub-processors on request.

Contact

Security questions and vulnerability reports: hello@decktrace.io
Legal, DPA, and SCC requests: hello@decktrace.io

← InícioPolítica de PrivacidadeTermos de ServiçoPolítica de CookiesContacto