Skip to content
eTraffica
Book a demo
Security · Compliance

Built to survive review.

Gov-tech buyers don't get to choose convenience over audit. eTraffica was engineered to pass the procurement security review on the first cycle — tenant isolation, immutable audit, encryption, and a clean answer for every question oversight asks.

Talk to securityReport a vulnerability
TLS everywhereAppend-only auditOIDC + service principals
Posture

Nine commitments, enforced in code.

Each item below is implemented in the production runtime today, not promised in a roadmap deck. Diligence packs available under NDA.

Multi-tenant isolation

Every read, write, search, and aggregate is tenant-owned and tenant-filtered through the identity layer. Wrong-tenant access is rejected at the gateway.

Append-only audit log

Every mutation is appended with actor, resource, action, correlation ID, and time. Searchable across years; never silently modified.

Role-based access control

Admin, Finance, Support, Violator, and Service-Principal roles. RBAC is enforced on every endpoint, not just the UI.

Session management

Active session listing, force-logout, IP and device-fingerprint binding. Stale sessions expire on schedule.

TLS to managed Postgres

Production traffic to managed Postgres is mTLS-bound with the CA cert mounted on every pod via NODE_EXTRA_CA_CERTS.

Encryption at rest

Customer data is encrypted at rest in all environments. Cloudinary-backed media uses signed delivery with expiring tokens.

Service-principal auth

External integrations use service-principal credentials with scoped permissions — never user credentials shared across systems.

Region-matched residency

Cloud SaaS deployments select the region matching the customer's data-residency requirements. On-Premise removes residency from the question entirely.

Secrets handling

All secrets live in the platform secret store. CI builds inject at runtime; production secrets never touch source control.

Responsible disclosure

We welcome security research. Please report suspected vulnerabilities to security@etraffica.co.uk with reproduction steps and impact. We respond within one business day and aim to remediate within standard severity windows.

Please do not exfiltrate data, disrupt operations, or test against tenants you do not own. We do not pursue legal action against good-faith research that follows responsible-disclosure practice.

Send security the diligence pack.

Architecture overview, RBAC model, audit-log schema, and our standard responses to the procurement security questionnaire.

Request diligence packSee the platform