_1777711377206.png)
Security
Defense-in-depth, zero-trust.
Every layer of the Traqo platform — from data storage and network communication to user authentication and application logic — is engineered with defense-in-depth principles. AES-256-GCM at rest, TLS 1.3 in transit, field-level PII encryption, HSM-backed key management, enterprise SSO/SCIM, and a 24/7 CIRT with NIST-aligned incident response.
Live module preview
security.traqo.ai/console
Live
Threat Level: Low
All security controls operating normally
0
Active threats
Live access log
2s agoSSO login via Okta
5s agoAPI call /v1/orders
12s agoMFA challenge passed
34s agoLogin attempt — blocked
1m agoReport exported (PDF)
100%
MFA enrolled
1,247
SSO logins (24h)
3
Blocked attempts
Encryption status
Data at rest
AES-256-GCM
Data in transit
TLS 1.3
Field-level PII
Active
Key rotation
90-day cycle
HSM backing
FIPS 140-2 L3
Compliance
ISO 27001
SOC 2 Type II
GDPR
DPDPA
§01
Security architecture overview
Traqo's security architecture is built on a defense-in-depth model comprising multiple concentric layers of protection. Each layer operates independently so that a breach in one layer does not automatically compromise the next.
| Layer | Controls | Technology |
|---|---|---|
| Perimeter | WAF, DDoS mitigation, API gateway rate limiting and request validation | AWS WAF, CloudFront, Kong |
| Network | VPC isolation, private subnets, network ACLs, security groups, IDS/IPS | AWS VPC, Security Groups, GuardDuty |
| Application | Secure SDLC, OWASP Top 10 mitigation, input validation, SAST/DAST scanning | GitHub Actions, Snyk, OWASP ZAP |
| Data | AES-256-GCM at rest, TLS 1.3 in transit, field-level encryption for PII, payment tokenization | AWS KMS, HSM, Let's Encrypt |
| Identity | Zero-trust authentication, RBAC, MFA, SSO integration, session management, IP whitelisting | SAML 2.0, OIDC, FIDO2/WebAuthn |
| Monitoring | SIEM integration, real-time alerting, immutable audit trails, anomaly detection | Splunk, Sentinel, PagerDuty |
Multi-tenant isolation
Tenant-specific schemas, row-level security (RLS), and unique per-tenant encryption keys. Cross-tenant data access is architecturally impossible — enforced at the ORM and API gateway layers.
Zero-trust principles
Every API request is authenticated and authorized regardless of network origin. Service-to-service communication uses mutual TLS (mTLS) with short-lived certificates.
Least-privilege access
Enforced at every layer — users, services, and infrastructure components. Micro-segmentation prevents lateral movement even in the event of a compromise.
§02
Data classification framework
Traqo classifies all data into four sensitivity levels. Each classification dictates specific handling rules for storage, transmission, access, and retention.
| Classification | Description | Examples | Handling Rules |
|---|---|---|---|
| Public | Approved for external distribution | Marketing materials, public API docs, press releases | Standard TLS for transmission; no access restrictions |
| Internal | General business information not intended for public release | Internal reports, aggregated analytics, non-sensitive config data | AES-256 at rest; TLS 1.3 in transit; authenticated access only |
| Confidential | Sensitive business data requiring controlled access | Customer freight data, rate agreements, vendor contracts, order details | AES-256-GCM at rest; RBAC enforcement; audit logging; 7-year retention |
| Restricted | Highly sensitive data subject to regulatory requirements | PII (Aadhaar, PAN), bank details, encryption keys, security logs | Field-level encryption; HSM key management; MFA required; immutable audit trail |
Restricted data handling
Fields classified as Restricted — including Aadhaar numbers, PAN card details, and bank account information — are encrypted at the application layer before database storage using dedicated field-level keys. Even database administrators cannot read plaintext values.