Privacy Policy

The data controller responsible for personal data processed through the Platform is:

• Company: [NOME_EMPRESA]
• Registration: [CNPJ]
• Address: [ENDERECO]
• Data Protection Officer (DPO): [DPO_EMAIL]

The data controller determines the purposes and means of processing personal data collected through the Platform.

Traqen applies the following principles to all data processing activities:

• Purpose limitation: data is processed for legitimate, specific, and clearly communicated purposes.
• Adequacy: processing is compatible with the purposes disclosed to the user.
• Data minimization: only the minimum data necessary to deliver the service is collected.
• Transparency: clear, accurate, and accessible information about data processing is provided.
• Data quality: data is kept accurate, relevant, and up to date.
• Security: technical and organizational measures are implemented to protect personal data.
• Prevention: proactive measures are adopted to help reduce data risk.
• Non-discrimination: data is never processed for unlawful or abusive discriminatory purposes.
• Accountability: effective measures are maintained and documented to support data governance.

Traqen collects the following personal data, along with the purpose and justification for each:

Traqen does not collect sensitive personal data such as health information, sexual orientation, religious beliefs, or biometric data.

Traqen relies on the following legal bases for processing personal data:

Consent is not the primary legal basis for essential service operations.

Source code receives special treatment within the Platform:

• Source code is cloned into ephemeral Docker containers with read-only access.
• Each container is created exclusively for a single scan and automatically destroyed upon completion.
• No source code is permanently stored on Traqen's servers.
• Only vulnerability metadata (type, severity, file location, remediation guidance) is retained.
• GitHub integration tokens are stored with AES-256-GCM encryption and used exclusively for authorized repository access.

This model means Traqen never holds a persistent copy of your code.

Traqen may share personal data in the following circumstances:

• Infrastructure providers (cloud): for hosting and operating the Platform, under contractual data protection clauses.
• Payment processors: for subscription management and billing, limited to strictly necessary data.
• Legal obligation: when required by a competent authority, court order, or legal determination.
• Legal proceedings: when necessary for the exercise of legal rights in judicial, administrative, or arbitration proceedings, including sharing with counsel and experts under professional confidentiality obligations.
• Corporate transactions: in the event of a merger, acquisition, or asset sale, data may be transferred to the successor, with continued protection under this Policy.

Traqen may use aggregated and anonymized data (which does not identify individual users) for statistical purposes, security research, and service improvements.

Traqen does not sell, rent, or share personal data with third parties for marketing, advertising, or any purpose not described in this policy.

Where personal data is stored or processed on servers located outside your jurisdiction, Traqen ensures that international transfers are supported by:

• Standard contractual clauses with infrastructure providers.
• Verification that the destination provides an adequate level of data protection, or implementation of appropriate safeguards.

You may request information about the countries where your data is processed by contacting the DPO.

Personal data is retained for the following periods:

After the periods above, personal data is permanently deleted or anonymized.

Post-termination retention: even after account closure, Traqen may retain personal data when necessary for: (I) compliance with legal or regulatory obligations; (II) exercise of legal rights in proceedings; (III) internal use in anonymized form; or (IV) transfer to a successor entity, subject to applicable data protection requirements.

Traqen uses automated processing to generate risk scores (0 to 100 and A–F classification) based on technical signals collected during scans.

You may request a review of any decision made solely on the basis of automated processing that materially affects your interests.

Traqen will provide information about the general criteria and procedures used in scoring, subject to trade secret and proprietary protections.

The Platform is not intended for individuals under 18 years of age and does not knowingly collect personal data from children.

If Traqen becomes aware that data has been collected from a child in violation of this policy, it will take steps to delete such data and restrict further processing.

Depending on your jurisdiction, you may have the right to:

1. Confirmation of whether your personal data is being processed.
2. Access to the personal data held about you.
3. Correction of incomplete, inaccurate, or outdated data.
4. Anonymization, blocking, or deletion of unnecessary data or data processed without proper basis.
5. Portability of your data to another service provider (upon express request to the DPO).
6. Deletion of personal data processed on the basis of consent.
7. Information about entities with whom your data has been shared.
8. Information about the option to withhold consent and its consequences.
9. Withdrawal of consent at any time, through an express request.

To exercise any of these rights, contact our Data Protection Officer at [DPO_EMAIL]. Requests will be addressed within 15 business days.

The Platform uses cookies and similar technologies for proper service operation:

Traqen uses only essential and functional cookies. No tracking cookies, third-party analytics, or advertising cookies are used.

Traqen implements the following technical and organizational measures to protect personal data:

• Encryption in transit: all communications use HTTPS/TLS.
• Token encryption: integration tokens are stored with AES-256-GCM.
• Ephemeral containers: source code is processed in isolated, temporary environments (Docker-in-Docker).
• Rate limiting: abuse protection at 100 requests/minute.
• SSRF protection: blocklist of internal and private addresses.
• CSP headers: Content Security Policy with dynamic nonce for XSS prevention.
• Read-only access: code scans operate without write permissions to repositories.
• Access controls: OAuth authentication with short-lived JWT tokens (5 min BFF, 2h internal).

Privacy by design: security measures are incorporated from the initial design phase and throughout the entire lifecycle of Traqen's products and services.

Data governance program: Traqen maintains internal policies, periodic training, processing activity mapping, and continuous risk assessments.

In the event of a security incident that may pose a risk to data subjects, Traqen commits to:

• Notify the relevant supervisory authority within the timeframe required by applicable law.
• Notify affected individuals about the nature of the data compromised, the measures taken, and recommendations.
• Take immediate steps to contain and remediate the incident.
• Maintain documented records of the incident and the actions taken.

Notifications will include, where possible: the nature of the data affected, the individuals involved, technical and security measures in place, risks related to the incident, and measures adopted to mitigate potential harm.

You are fully responsible for:

• Ensuring the legality of all data, source code, repositories, and assets submitted to the Platform for analysis, including having legitimate authorization from their owners.
• Ensuring that submitted code does not violate intellectual property rights, trade secrets, non-disclosure agreements (NDAs), or any other third-party rights.
• Maintaining your own backups of your data, code, and scan results. Traqen is not a storage or backup service and has no obligation to recover lost, corrupted, or deleted data.
• Independently evaluating and validating scan results before making security decisions based on them.
• Complying with all applicable laws and regulations related to your use of the Platform, including data protection, intellectual property, and cybersecurity laws.

Traqen assumes no responsibility for intellectual property violations, privacy breaches, or any other third-party rights infringements committed by the user through the Platform.

This Privacy Policy may be updated periodically. Changes will be communicated by email and published on this page with the new effective date.

We recommend reviewing this page periodically to stay informed about how we protect your data.

To exercise your rights, ask questions, or report incidents related to personal data:

• Data Protection Officer (DPO): [DPO_EMAIL]
• Address: [ENDERECO]

If you believe your request has not been adequately addressed, you may file a complaint with the relevant data protection authority in your jurisdiction.