Provena·Trust Request security package
Provena Trust / Trust Center
Trust Center

Built to pass your security review.

Trust is what we sell, so it's how we run. Here's how Provena Trust handles your data, proves its controls, and supports your procurement and vendor-risk process.

Request the security package Report a vulnerability
How your data is protected

Controls, in plain terms.

Data & residency

  • We hold supply-chain records, supplier credentials and attestations — not consumer payment data
  • Hosted on major cloud infrastructure with regional residency options (US / EU)
  • Customer data is logically isolated per tenant
  • Defined retention and deletion on request

Encryption

  • TLS 1.2+ for all data in transit
  • AES-256 at rest
  • Managed keys via cloud KMS; Darpan brand-signing keys held under your control
  • Secrets isolated from application code

Access control

  • Role-based access with least-privilege defaults
  • SSO / SAML and enforced MFA for administrators
  • Full audit logging of credential and data access
  • Background-checked personnel; access reviewed regularly

Resilience & testing

  • Automated backups with tested restore
  • Independent penetration testing on a recurring cadence
  • Adversarial review before every launch
  • Documented incident-response process
Attestations & frameworks

What we can show your reviewers.

SOC 2 Type II
Security, availability and confidentiality controls, independently examined.
In progress
GDPR & DPA
Data Processing Agreement and EU data-handling commitments available on request.
Available
ISO 27001
Information security management system.
Roadmap
Penetration test summary
Executive summary of the most recent third-party test, under NDA.
On request

⚠ Internal note — confirm each status before publishing; do not list an attestation we don't actually hold.

Standards alignment

Built on open standards, not lock-in.

Identifiers & data

  • GS1 Digital Link for product identity
  • EPCIS event model for chain-of-custody
  • CIRPASS-aligned DPP data model

Regulatory targets

  • EU ESPR Digital Product Passport (2027)
  • US UFLPA evidence and screening
  • ISO 14067 / PEF lifecycle methods
Subprocessors

Who else touches the data.

We use a short, vetted list of infrastructure and tooling subprocessors — cloud hosting, monitoring, and transactional communications. The current list, with purpose and data scope for each, is maintained as a living document and provided in the security package. Customers are notified of material changes.

The posture

Verifiable, not just stated.

The whole product exists because assertions aren't evidence. We hold ourselves to the same bar: where we make a security claim, we can show the control behind it — and where something is still on the roadmap, we say so plainly rather than implying more than is true. That honesty is the point of a trust company.

Request the security package.

SIG / CAIQ responses, the DPA, our subprocessor list, and the latest pen-test summary — sent to your security or procurement team under NDA.

Email security@provenatrust.com Talk to us