Trust Center
Doing vendor risk on TractionGRC?
Everything you need to evaluate TractionGRC as a vendor — privacy commitments, security practices, sub-processors, the standard Data Processing Addendum, and how to reach us with questions. Last updated 1 May 2026.
Standard DPA
Data Processing Addendum
If you are a Controller and TractionGRC is your Processor under the GDPR, UK GDPR, CCPA, or comparable law, our standard DPA is below. It is pre-signed by TractionGRC and takes effect when you countersign or accept it through the self-service flow.
When you need a countersigned copy: your security team requires a fully executed (signed by both parties) DPA on file, your procurement system rejects pre-signed addenda, or your regulator requires named-party execution. Use the request button above and we will return a countersigned copy by email, typically within 2 business days.
When the pre-signed version is enough: you are accepting the DPA as-is and want it on file as part of your vendor record. Download, sign your side, and retain the executed copy.
Sub-processors
We share customer data only with the third-party providers necessary to operate the service. Each is bound by data-protection obligations substantially as protective as those in our DPA. Material changes are announced at least 30 days in advance.
| Sub-processor | Purpose |
|---|---|
|
Microsoft Corporation Azure (cloud platform & OpenAI Service) |
Cloud hosting, database, infrastructure, and Azure OpenAI Service inference. |
|
Anthropic, PBC Claude API |
Claude API for TractionAI AI assistant features. |
|
Stripe, Inc. Stripe (payments) |
Payment processing and billing. |
|
Twilio Inc. SendGrid (transactional email) |
Transactional email delivery. |
AI and your data
TractionAI is our AI assistant. Customer trust in this feature is central to the platform, so we are explicit about how it works.
What we do
- Pass your prompt and relevant workspace context (org name, size, industry, frameworks in scope, current document) to Anthropic or Azure OpenAI at inference time.
- Log TractionAI requests for a limited period for debugging, abuse prevention, and safety review.
- Use aggregated, de-identified usage analytics to understand which features are useful.
What we don't do
- Use customer data to train AI models. This applies to TractionGRC and to our AI sub-processors, who are contractually prohibited from using your data for model training, fine-tuning, or improvement. Your data is passed at inference time only. (See DPA § 5.5.)
- Sell or share customer data for advertising or any other commercial purpose.
- Combine your data with another customer's data for any purpose.
Security
A high-level overview of the technical and organizational measures we maintain. Detailed measures are described in Annex B of the DPA.
Encryption in transit
TLS 1.2+ for all customer connections.
Encryption at rest
Industry-standard algorithms via Azure managed key services.
Access control
Role-based access; MFA for administrative access; periodic reviews.
Network protection
Segmented production network; WAF; DDoS mitigation; intrusion detection.
Application security
Secure SDLC; dependency monitoring; periodic penetration testing.
Incident response
Documented procedures; 72-hour breach notification commitment.
Logging and monitoring
Centralized logging with security event alerting.
Backup and recovery
Encrypted backups with documented restore procedures.
Vendor management
Sub-processor due diligence and contractual data-protection terms.
Compliance program
We're a GRC vendor — so we eat our own cooking. Our compliance program runs inside TractionGRC itself.
SOC 2 Type II
Pre-audit phase. Available to qualified prospects under NDA.
ISO 27001
Stage 1 readiness in progress. Statement of Applicability available on request.
Microsoft SSPA
Active participant. Annual response on file.
Documents
Contact
For security questionnaires, DPA execution, breach notifications, or any other vendor-risk question, the right inboxes are below. We respond within 2 business days.