Security & Data Handling

Technical controls, data minimization, and compliance.

Core PrincipleData Minimization

Tranzia is designed to function without PII (Personally Identifiable Information). Our API scores routes and contexts, not people.

What we DO NOT require:

  • User Names
  • Email Addresses
  • Phone Numbers
  • Device IDs

Data Retention

Decision Receipts: Retained for the duration of your contract period (default: 1 year) to likely support audit defense.

BYOB Policy: If you configure "Bring Your Own Bucket" export, you control the master copy of your data regardless of our retention policies.

Export Security Controls

When pushing data to your infrastructure (Webhooks / BYOB), we enforce strict network controls to prevent abuse (SSRF).

  • Protocol: HTTPS Only (TLS 1.2+).
  • Timeouts: Aggressive timeouts (3.05s connect, 15s read) to prevent resource exhaustion.
  • Payloads: Strict verification of content types (`application/json` or `application/pdf`).
  • Egress: Traffic originates from a static set of IP addresses (available on request).

Subprocessors

We use the following third-party processors to deliver our service:

EntityPurposeLocation
Supabase (AWS)Database & Real-timeUS-East (N. Virginia)
VercelEdge Compute & HostingGlobal (Anycast)
StripeBilling & PaymentsGlobal