silvatrace
Security & Privacy

Trust & Security

Your supply chain data is sensitive. Here's how Silvatrace protects it — with EU-hosted infrastructure, GDPR compliance, and transparent data practices.

EU-Hosted Infrastructure

  • All data is stored and processed in Germany (EU) on dedicated Contabo servers
  • PostgreSQL database with PostGIS for geospatial data — no cloud databases, no shared tenancy
  • No data leaves the EU — processing, storage, and application logic are all within EU jurisdiction
  • TLS 1.3 encryption for all data in transit via automatic Let's Encrypt certificates
  • Observability and log traces processed on Pydantic Logfire EU servers (Frankfurt)

Data Protection

  • Passwords hashed with bcrypt (12 salt rounds) — never stored in plaintext
  • JWT-based session authentication with short-lived tokens
  • Database credentials and API keys stored as environment variables, never in code
  • Firewall restricts access to HTTPS (443) and SSH (22) only — no other ports exposed
  • Database is internal-only — not accessible from the internet

GDPR Compliance

  • Data export available: download all your suppliers, plots, assessments, and reports as JSON
  • Account deletion requests processed within 30 days per GDPR Article 17 (Right to Erasure)
  • Minimal data collection — we only collect what's necessary for EUDR compliance
  • No third-party analytics trackers on the dashboard
  • Data Processing Agreement (DPA) available upon request for enterprise customers

Satellite Data & Third-Party Services

  • Deforestation risk assessments use Copernicus Sentinel-2 satellite imagery — the EU's own Earth observation programme
  • NDVI (Normalized Difference Vegetation Index) change detection methodology is documented and reproducible
  • Baseline period: June–August 2020 (before the EUDR cutoff date of December 31, 2020)
  • 10-meter spatial resolution from Sentinel-2 multispectral imagery
  • Maps powered by Mapbox GL — geolocation data transmitted encrypted, not stored by Mapbox
  • All satellite evidence is included in PDF compliance reports for audit trail purposes

Compliance & Audit Trail

  • Complete audit log of all actions: login, data creation, assessment triggers, report generation
  • 5-year record retention as required by EUDR Article 12
  • PDF compliance reports include methodology, legal framework references (Articles 2, 3, 8), and disclaimers
  • Due Diligence Statement preparation follows the TRACES NT submission format

Payment Security

  • Payments processed by Stripe — PCI DSS Level 1 certified
  • No credit card numbers are stored on our servers
  • Subscription management via Stripe's secure customer portal
  • Invoices and receipts available through your Stripe billing dashboard

Security Contact

Found a security vulnerability? Have questions about our data practices? Contact us at [email protected]