Trust & Security
Security and engineering record integrity by design
Tracta protects both platform access and the integrity of governed engineering workflows. Security here means more than preventing unauthorised entry — it means ensuring that every revision, approval, and issuance event is accurate, attributable, and permanently preserved.
This page describes the infrastructure controls, data protection posture, access model, and record integrity mechanisms that underpin the Tracta platform.
Core principles
These principles are structural properties of the platform — not policies applied on top of it.
Least-privilege access
Access rights are scoped to what each role requires. Review, approval, and issuance actions are governed by permission boundaries — not open to any authenticated user.
Attributable actions
Every action taken within the platform is attributed to a named individual. No action is anonymous. This is a structural property of the engineering record, not an audit add-on.
Controlled issuance
A document can only be issued when explicit governance conditions are satisfied. The authority to issue is configured, not assumed, and the issuing event is permanently recorded.
Immutable history
Revision states, approval records, and issuance events cannot be altered once recorded. The record of what happened is durable by design.
Operational resilience
The platform is built to remain available and consistent under operational load. Monitoring, alerting, and recovery processes are maintained to ensure continuity of engineering workflows.
Infrastructure
Managed cloud infrastructure
Tracta operates on managed cloud infrastructure with environment separation between production, staging, and development. Infrastructure configuration is controlled and version-managed.
Network access to internal services is restricted. Operational monitoring covers system health, error rates, and anomalous behaviour. Deployment processes include automated checks before production changes are applied.
Data Protection
Encryption and protected storage
All data in transit is encrypted using TLS. Data at rest — including engineering records, document metadata, and user information — is encrypted at the storage layer.
Database backups are encrypted and stored separately from primary data. Retention periods and deletion schedules are enforced by the system rather than manual process.
Access Control
Role-based permissions tied to engineering workflows
Access to the platform is authenticated. Within the platform, permissions are role-based and scoped to the actions each user is authorised to perform.
Review, approval, and issuance actions require appropriate authority. A user without approval authority cannot produce an approval record. This is not enforced by policy alone — it is enforced structurally by the platform.
Internal access to production systems is restricted to a small number of authorised personnel. All privileged access is logged.
Auditability & Record Integrity
A defensible account of every document decision
In regulated engineering environments, security is not only about preventing intrusion. It is also about preserving a defensible account of how a document moved from draft to reviewed, approved, and issued status.
Tracta records every governed event — revision, review, approval, issuance, and supersession — as an attributable, timestamped entry linked to the relevant document state. These records are immutable. They cannot be edited, backdated, or removed by platform users.
The result is an audit history that reflects what actually happened: who acted, on which document state, under what authority, and when. This record is a continuous output of platform operation — not a report assembled after the fact.
Availability
Operational stability and recovery posture
The platform is designed for continuous availability. Redundancy is applied at the infrastructure level to reduce the impact of component failures.
We maintain monitoring and alerting across platform systems. Planned maintenance is communicated in advance. Our engineering posture prioritises graceful degradation and rapid recovery over hard failure.
"An engineering record that cannot be trusted is not a record. Tracta enforces structural integrity at every step — so the record produced is the record that happened."
Responsible Disclosure
Reporting a vulnerability
Please send your report to security@tracta.com.au. Include a description of the issue, steps to reproduce it, and your assessment of the potential impact. We will acknowledge receipt and keep you informed as we investigate.
We do not pursue legal action against researchers who act in good faith and follow responsible disclosure practices.