Security Policy
MolTrace security controls protect regulated scientific data, raw evidence archives, analysis outputs, user identities, audit records, and customer workspaces.
Security program
Section titled “Security program”This page is the procurement-facing security template. Certification and control claims must be verified by the security owner before they are used in sales, contracts, or public trust materials.
Infrastructure and hosting
Section titled “Infrastructure and hosting”| Control area | Draft position |
|---|---|
| Cloud provider | AWS. |
| Regions | eu-west-1 and us-east-1; no additional region without customer agreement and security review. |
| Workspace isolation | Organization-scoped projects, files, reports, approvals, and audit events. |
| Backups | Encrypted backups with tested restore procedures and documented retention windows. |
Encryption
Section titled “Encryption”| Data state | Draft control |
|---|---|
| In transit | TLS 1.3 minimum for public endpoints where supported; no plaintext customer-data transport. |
| At rest | AES-256 or equivalent managed encryption for object storage, databases, and backups. |
| Secrets | Stored in a managed secret store, never committed to source control or documentation examples. |
Access controls
Section titled “Access controls”Access should follow least privilege. Administrative actions, exports, approvals, and regulated workflow changes should be logged and reviewable.
Enterprise workspaces should support:
- Role-based access controls.
- MFA enforcement.
- SSO through SAML 2.0 where contracted.
- Just-in-time approval for privileged production access.
- Audit logging for security-relevant administrative actions.
Vulnerability management
Section titled “Vulnerability management”| Activity | Draft cadence or SLA |
|---|---|
| Dependency and infrastructure scans | Weekly. |
| External penetration test | Annually. |
| Critical CVE remediation target | 24 hours after validated impact assessment. |
| High CVE remediation target | 7 days after validated impact assessment. |
Certifications and assurance
Section titled “Certifications and assurance”Use only verified status labels here:
- SOC 2 Type II: add report availability only when completed and approved for NDA sharing.
- ISO 27001: mark as planned or in progress only with an approved target date.
- GDPR DPA: available only after legal approval of the DPA template and subprocessors list.
Incident response
Section titled “Incident response”Security incidents should be triaged, contained, investigated, remediated, and communicated according to contractual, regulatory, and legal obligations.
Draft notification target: notify affected customers within 72 hours of confirming an incident that affects their data, then provide a written incident report within 30 days when required by contract or law. Notices should go to the customer’s security contact and billing/admin contact.
Contact
Section titled “Contact”Security reports and responsible disclosure should route to security@moltrace.com. Acknowledge valid reports within two business days. Provide PGP details on request until a public key is posted.