We practice what we preach.
ONTRACE.AI is a security company. We manage our own ISMS using ONTRACE, and we hold ourselves to the same standards we help our customers meet. Transparency, sovereignty, and human control aren't selling points — they're operational commitments.
Trust at a Glance
Data Sovereignty
Any region
Encrypted at Rest
AES-256
Encrypted in Transit
TLS 1.3
ISO 27001 Aligned
Internally operated
SOC 2 Aligned
Trust criteria
Human Override
Always in control
Transparent AI
Explainable outputs
GDPR Ready
EU compliance
Our Commitments
Six pillars of trust.
Every decision we make about how ONTRACE.AI handles your data, operates its AI, and manages its infrastructure is grounded in these commitments.
Data Sovereignty
Your data lives where your regulations require.
Encryption
Encrypted at rest and in transit — always.
Transparent AI
AI that explains itself — no black boxes.
Human Override
Humans remain in control. Always.
SOC 2 Alignment
Security controls aligned to SOC 2 Trust Service Criteria.
ISO 27001 Alignment
We operate our own ISMS — and we use ONTRACE for it.
AI Transparency
Every AI decision is explainable.
When an ONTRACE.AI agent identifies a risk, recommends a control, or generates a compliance assessment, it tells you exactly why — citing the specific data, documents, and reasoning that led to the conclusion.
We fundamentally believe that AI in security and compliance must be transparent. Black-box AI assessments that can't be audited have no place in a regulated compliance function.
Source Citations
Every AI output cites the source documents and data used.
Confidence Levels
AI recommendations include confidence indicators based on evidence quality.
Decision Trails
Full audit trail of AI reasoning is preserved for compliance and review.
Human Validation
All AI outputs require human review before any compliance assertion is recorded.
Example: AI Risk Assessment Output
Insufficient access controls on shared admin accounts
ISO 27001 A.9.2.3 — Privilege access controls
AI Reasoning
"Based on ServiceNow CMDB data (3 shared admin accounts detected) and SharePoint access policy document v2.1 (no MFA requirement for admin accounts documented), combined with ISO 27001 Annex A.9.2.3 requirements..."
Pending human review
Data Handling
Your data, handled with precision.
Purpose Limitation
Your data is used solely for delivering the ONTRACE.AI service. It is not used to train AI models, sold to third parties, or shared with other customers.
Data Minimization
We collect and process only the data necessary to provide the service. Unnecessary data collection is not part of our design.
Retention Controls
Configurable data retention periods. Data deletion requests are honored within agreed timescales. Audit trails are preserved as required by compliance frameworks.
Portability
Your data is yours. Export your full ISMS dataset at any time in standard formats. No lock-in, no hostage data.
Certifications
Alignment with global security standards.
ONTRACE.AI operates under security controls aligned to industry standards. Formal certification details are available to enterprise customers under NDA.
ISO 27001
Internally operated ISMS
SOC 2
Trust Service Criteria
GDPR
EU data handling requirements
Questions?
Trust questions deserve straight answers.
Security teams should interrogate their vendors' security practices before onboarding. We welcome those conversations. Contact us to request our security documentation, DPA, or to schedule a security review call.