TRUST & SECURITY

What we do, what we have, what you can review.

TradeOS holds your operational data — orders, shipments, contracts, financial records, supplier relationships, customer data, communications across seven channels. We treat that responsibility as the price of admission for a trade platform. Not a marketing position. A baseline. This page documents what we've built, what we're certified for, what we contractually commit to, and what your team can review independently.

Request security review package Jump to InfoSec FAQ

Audit · annual

SOC 2 Type IIfull report under NDA · executive summary public

ISMS · 3-year cycle

ISO 27001:2022all platform operations · annual surveillance

Privacy · EU subjects

GDPR + DPAstandard in Business+ · custom at Enterprise

Reliability

99.95% uptimeSLA · status.edma.trade · public history

CERTIFIED

Audited. Documented. Available under NDA.

Every claim on this page maps to a specific artifact your team can review. Public artifacts download from the link below. NDA-protected artifacts deliver within 2 business days of an executed standard NDA.

SOC 2
TYPE II

Current

SOC 2 Type II

ScopeOperational data, customer data, AI infrastructure, identity management

Audit firm[TBD — Big 4 / Schellman]

PeriodAnnual · 12-month operational window

AvailableFull report under NDA · executive summary publicly

Next renewal[TBD — Month YYYY]

Trust services criteria: Security, Availability, Confidentiality. Processing Integrity and Privacy added at next renewal.

ISO
27001
:2022

Current

ISO 27001:2022

ScopeISMS covering all platform operations — development, infrastructure, support, corporate

Cert. body[TBD]

Period3-year cycle · annual surveillance audits

AvailableCertificate publicly · SoA under NDA

Next surv.[TBD — Month YYYY]

Statement of Applicability documents the 93 Annex A controls in scope; available under standard NDA alongside the SOC 2 full report.

GDPR
· EU ·

Compliant

GDPR compliance

ScopeAll EU data subjects, including customer end-users in EU operator workspaces

DocsDPA · Records of Processing Activities (ROPA) · DPIA template

InclusionDPA standard in Business+ contracts · custom DPA negotiable at Enterprise

DPO[TBD — Name + email]

TransferSCCs · EU AdCom-approved · Schrems II compliant

EDMA serves as Data Processor for customer-supplied data; Data Controller for user account data only.

HIPAA
· BAA ·

Conditional

HIPAA (BAA)

ScopeHealthcare customers handling Protected Health Information (PHI)

TierBAA execution at Business+ · qualified healthcare customers

ConditionsCustomer must operate as Covered Entity or Business Associate under HIPAA

PHI handlingEncryption + minimum-necessary access + 6-year audit log retention

Not applicable to non-healthcare workspaces. BAA terms are an addendum to the standard MSA, not a separate contract.

On the 2026–2027 compliance roadmap: PCI-DSS Level 1 (payment workflows), ISO 27701 (privacy management extension to 27001), SOC 2 Type II scope expansion to Sovereign and Air-Gapped deployment tiers. Public quarterly progress on the newsroom.

WHERE YOUR DATA LIVES

Geographic data residency by deployment tier.

Three standard regions for Business customers. Single-tenant Sovereign deployment in any of ~25 cloud regions at Enterprise. Air-gapped deployment for customers whose data cannot leave their own infrastructure.

RESIDENCY MAP · DEFAULT BEHAVIOR · IN-REGION3 STANDARD + 25 SOVEREIGN

R1US — US-East · VirginiaDefault

Default for Starter, Solo, Business. SCCs in place for EU data subjects when applicable.

SOC 2ISO 27001GDPR · SCCsHIPAA-eligible

R2EU — EU-Central · FrankfurtBusiness+

GDPR-native: no SCCs needed for EU data subjects. Schrems II compliant. Local law: German BDSG + EU GDPR primary.

SOC 2ISO 27001GDPR-nativeSchrems II

R3APAC — Southeast · SingaporeBusiness+

Singapore PDPA, Hong Kong PDPO compatibility. Supports SE Asia data residency requirements.

SOC 2ISO 27001PDPA · SGPDPO · HK

SSovereign — any AWS / GCP / Azure regionEnterprise

Single-tenant VPC in customer-specified region (~25 globally). Inherits region's compliance regime plus customer-managed encryption keys.

25+ regionsCMK / BYOKVPC isolation

AGAir-gapped — customer infrastructureEnterprise

Fully self-hosted. No data leaves customer environment. Local Gemma 4 E4B model included; commercial AI requires customer-provisioned keys.

Self-hostedLocal AI · GemmaDefense-eligible

Cross-region data movement is opt-in and auditable. Default behavior: data stays in your selected region. Backup and disaster recovery: within-region only unless customer explicitly requests cross-region DR in writing as a contract addendum.

ENCRYPTION

At rest, in transit, in use. End-to-end.

Specific algorithms, specific key hierarchies, specific compute attestation. Customer-managed keys at Enterprise: rotate or destroy keys and EDMA can no longer decrypt your data — including for our own incident response.

[01]

At rest

Data at rest

AES-256-GCM for all stored data — databases, object storage, backups.
Per-tenant encryption keys enforce workspace-level isolation; no shared keys across tenants.
Hierarchical KMS: tenant master keys derive data-encryption keys; root keys never leave the HSM.
Backup encryption uses a separate key hierarchy; restore requires explicit customer authorization.
Audit logs encrypted with a third key family — retention enforced cryptographically, not just by access control.

[02]

In transit

Data in transit

TLS 1.3 for all external communications — no TLS 1.2 fallback.
Certificate pinning on iOS and Android mobile applications.
mTLS mutual TLS for service-to-service authentication inside the platform.
API requests authenticated via signed JWT with 1-hour rotation and audience-scoped claims.
WebSocket connections inherit the same TLS 1.3 standard; no plaintext fallback.

[03]

In use · compute

Data in use

Standard SaaS: TPM attestation on the control plane; sensitive workloads in attested runtimes.
Sovereign tier: confidential computing on AWS Nitro Enclaves or GCP Confidential Computing — even EDMA engineers cannot access decrypted data.
Air-gapped tier: encryption keys and decryption operations remain entirely on customer infrastructure.
Memory zeroization on enclave shutdown; no swap-to-disk for cleartext working memory.

Enterprise · key sovereigntyBYOK & HYOK supported

Bring Your Own Key and Hold Your Own Key supported across the major key managers. You can revoke EDMA's access to your data at any moment by rotating or destroying the wrapping key. After revocation, EDMA cannot decrypt — not for support, not for incident response, not for any reason.

SUPPORTED· AWS KMS· Azure Key Vault· GCP Cloud KMS· HashiCorp Vault

ACCESS CONTROL

Who can do what — with full audit visibility.

Authentication, authorization, and audit are three separate systems with three separate guarantees. RBAC with field-level granularity. Tamper-evident audit logs with cryptographic chaining. SIEM-compatible export at Business+.

Authentication

[01 / 03]

How users sign in.

Email + password with optional TOTP 2FA Starter · Solo
SSO via SAML 2.0 and OIDC Business+
SCIM 2.0 for user provisioning & deprovisioning Business+
Mandatory 2FA enforceable per role Business+
Passwordless via passkeys / WebAuthn — recommended over passwords on every tier

IDPs tested in production

OktaAzure ADGoogle WorkspaceAuth0OneLoginDuoPing IdentityJumpCloud

Authorization

[02 / 03]

Who can do what.

RBAC with 6 default roles + unlimited custom roles
Permission granularity: section · action · field
Workspace-scoped — multi-tenant operators get per-workspace permission sets
Time-bound access — temporary roles with explicit expiration
Privileged access management for support escalations
Just-in-time (JIT) elevation for high-risk operations
Approval workflows for sensitive actions — configurable per workspace

Default roles

OwnerAdminOperatorFinanceViewerPartner

Audit trail

[03 / 03]

Every event, logged.

Authentication events: success, failure, location, device
Authorization decisions: who, what, when, granted/denied, basis
Data access logged at row level for sensitive entities — orders, contracts, financial records
Tamper-evident audit log with cryptographic chaining — every entry hash-linked to its predecessor
Export formats: CEF, LEEF, JSON — SIEM-compatible Business+

SIEM targets validated

SplunkDatadogSumo LogicElastic SIEMSentinel

Starter

90days

audit log retention

Solo

180days

audit log retention

Business

1year

SIEM export available

Enterprise

Unlimited

customer-defined retention

WHO ELSE HANDLES YOUR DATA

Full sub-processor disclosure. Updated quarterly.

Every third-party that touches operator data is listed below. Purpose, data accessed, location, compliance posture. Material changes trigger 30-day advance notice. Enterprise customers retain right-of-objection under custom DPA.

Sub-processor	Purpose	Data accessed	Location	Compliance
Amazon Web ServicesAWS · primary infra	Infrastructure hosting — compute, storage, databases, networking	All operational data	US · EU · APAC per customer region	SOC 2ISO 27001HIPAA-eligibleGDPR
AnthropicClaude · primary AI	AI inference — primary model for Atlas, Legal AI, Accounting AI	Operator-initiated AI prompts only	US	SOC 2GDPRZero Data Retention
OpenAIGPT · fallback AI	AI inference — fallback / specialized capabilities	Operator-initiated AI prompts only	US	SOC 2GDPRZero Data Retention
GoogleGemini · fallback AI	AI inference — fallback / EU-region routing for Atlas	Operator-initiated AI prompts only	US · EU	SOC 2ISO 27001GDPR
StripePayments · billing	Payment processing — subscription billing and Marketplace settlement	Billing data only · no operational data	US · EU	PCI-DSS L1SOC 2GDPR
Resend / Amazon SESTransactional email	Transactional email delivery	Email content + recipient address	US · EU	SOC 2GDPR
TwilioSMS · WhatsApp Business	SMS + WhatsApp Business messaging — counterparty communications	Message content + counterparty contact	US · regional	SOC 2GDPR
MapboxGeocoding · maps	Geocoding + map tiles for shipment tracking	Address strings for shipment tracking	US	SOC 2GDPR
CloudflareCDN · DDoS · WAF	CDN, DDoS protection, web application firewall	HTTP request metadata · no payload retention	Global edge	SOC 2ISO 27001GDPR
SentryError monitoring	Error monitoring & performance traces	Error stack traces · PII-scrubbed at source	US · EU	SOC 2GDPR

Notification policy

Customers receive 30 days advance notice before any sub-processor change. Material changes — new region, new data type, new compliance regime — trigger explicit re-consent for Enterprise customers under custom DPA. The current list is also published as a versioned JSON feed at edma.trade/security/subprocessors.json for compliance-automation tooling.

Right to object

Customers may object to specific sub-processors. EDMA will work to find a comparable alternative or, where no feasible alternative exists, provide grounds for termination without penalty. This right is enumerated in the standard DPA and survives contract renewal.

ADVERSARIAL TESTING

Tested annually by third parties. Continuously by ourselves.

Two perimeters: third-party penetration testing for breadth and external validation, and continuous internal testing for depth and speed. Bug bounty program scaling alongside GA. Enterprise customers may test their own deployment.

3rd-party pen test

annual

External penetration testing

Frequency: annual minimum · on-demand for major architecture changes
Scope: web app, API surface, infrastructure, social engineering simulation
Methodology: OWASP ASVS L2 minimum · OWASP Top 10 + API Top 10
Firms: rotated across[TBD — NCC Group / Bishop Fox / Trail of Bits / Praetorian]

latest test[TBD — Month YYYY]

availabilityexec summary public · full under NDA

Continuous internal

every commit

Continuous testing in CI

SAST — static application security testing · every commit
SCA — software composition analysis · every dependency update
DAST — dynamic testing · nightly
Container image scanning · every build
IaC scanning · every Terraform plan
Secret scanning · pre-commit + post-merge sweeps

SLA · P1patch within 24h

SLA · P2 / P37d / 30d

Bug bounty

in development

Public bug bounty · Q4 2026

Launch: alongside GA in Q4 2026
Vendor: [TBD — HackerOne / Bugcrowd]
Scope: production endpoints & customer-facing applications
Bounty range: $250 – $10,000 by severity & impact
Pre-launch: private invite-only beta with [TBD — count] researchers

safe harborstandard disclose.io

payoutsno caps · severity-based

Customer-led

enterprise

Test your own deployment

Enterprise customers may conduct independent penetration testing on their dedicated VPC deployment with advance scheduling.

Testing scope, methodology, and findings disclosure are governed by a separate testing agreement. Sovereign and Air-Gapped deployments allow customer-controlled testing without coordination requirements — it's your infrastructure, test it on your schedule.

notice7 days (VPC) · none (AG)

requestvia CSM

WHEN SOMETHING GOES WRONG

Documented playbooks. Notified within 72 hours.

NIST SP 800-61 framework. 24/7 incident commander rotation. Status page updates within 15 minutes of confirmation, full customer notification within 24 hours for confirmed breaches affecting their data, public post-incident report within 5 business days.

Step 01 · Detect

Detection

24/7 SOC monitoring — security operations center across three time zones
authentication, authorization, and data access patternsAnomaly detection on
Threat intelligence feeds: [TBD vendors]
Customer-reported incidents via dedicated channel — bypasses general support queue
Internal escalation SLA: P1 5min · P2 30min · P3 4h

Step 02 · Respond

Response

Documented playbooks under the NIST SP 800-61 framework
Incident commander rotation 24/7 — named individual on-call, not a shared inbox
CERR process: Containment · Eradication · Recovery · Lessons-learned
Status page updates within 15 minutes of confirmation
Full notification within 24 hours · post-incident report within 5 business days

Step 03 · Notify

Breach notification

Customer notification within 72 hours of confirmed breach affecting their data — per GDPR Article 33
Regulatory notification per applicable jurisdiction requirements
Affected data-subject notification coordinated with customer per their DPA and applicable law
Public disclosure coordinated with affected customers and regulators
status page within 7 daysMaterial breaches publicly disclosed via of confirmation

Notification SLA

Confirmed breach → customer notified

T+0incident confirmed by IR commander00:00

T+15mstatus page entry created00:15

T+24hfull customer notification (email + portal)24:00

T+72hregulatory notification · GDPR Article 3372:00

T+5dpost-incident report (customer-direct)120:00

T+30dfinal report · root cause + remediation720:00

All systems operationalMaterial incidents disclosed at status.edma.trade — since beta launch May 2026: [X] material incidents · full history public.

Open status page →

YOUR RIGHT TO VERIFY

Independent verification — by you or your auditors.

Trust without verification is a marketing claim. Every Business and Enterprise customer receives the documentation set below. Enterprise customers may also audit on-site, stream audit logs into their own SIEM, and respond to vendor security questionnaires on a 5-day SLA.

A · Documentation review

Business+

Standard documentation package

All Business and Enterprise customers receive:

Annual SOC 2 Type II report (under NDA)
ISO 27001 certificate and Statement of Applicability
Penetration test executive summary (full report under NDA)
Sub-processor list updated quarterly · JSON feed available
Encryption & key management documentation
Incident response playbooks (redacted where necessary)

B · On-site audits

Enterprise

Audit our operations directly

Enterprise customers may conduct on-site audits annually with 60 days advance notice. Scope covers information security controls, sub-processor management, incident response procedures, and encryption key management.

Cost: customer-borne for audits above the standard documentation review. EDMA provides workspace, named personnel, and document access. Findings remain customer-confidential under the audit agreement.

C · Continuous monitoring

Enterprise

Stream events into your stack

Enterprise customers may request continuous monitoring access:

SIEM integration of audit logs — Splunk, Datadog, Sumo Logic, Elastic, Sentinel
Real-time security event streaming via Kafka topic or webhook
Customer-controlled API access for compliance-automation tools
Configured per contract; rate limits and event types negotiable

D · Vendor questionnaires

Business+

Security assessments — SIG, CAIQ, custom

Standard customer security assessments — SIG, CAIQ, vendor security questionnaires, custom enterprise templates — are responded to within 5 business days for Business+ customers.

Annual response refresh included in CSM scope. Pre-completed answer libraries available on request for common frameworks (SIG Core, CAIQ v4, NIST CSF 2.0).

SPECIFIC QUESTIONS

What InfoSec teams actually ask.

12 questions grouped into 4 topics. Click a group to expand. Answers are factual, terse, and link to the specific section above where the underlying control is documented.

Group 01Data ownership & control3 questions

Q · 01

Who owns our data?

You do. Always. EDMA processes data on your behalf as a Processor under GDPR terminology. Your data is exportable in CSV / JSON formats at any time. Upon contract termination, you have 90 days to export; we delete within 30 days post-deletion-deadline. The export schema is documented and stable.

Q · 02

Can EDMA employees access our data?

Only under three specific conditions: (1) you have opened a support case and granted access; (2) emergency incident response requiring data access — audited, time-limited, customer-notified; (3) court order or legal process — we resist and notify you unless legally prohibited. Standard operations do not require EDMA access to customer data. All access events are written to your audit log.

Q · 03

What happens if EDMA is acquired or shuts down?

Acquisition: customer data-protection clauses survive acquisition; the new owner inherits DPA terms. Shutdown: 12-month advance notice contractually committed to Enterprise customers with data-migration assistance; 6-month notice for all other tiers. Open-source escrow of critical data formats ensures migration is technically feasible even if EDMA personnel are unavailable.

Group 02AI & data privacy3 questions

Q · 04

Is our data used to train AI models?

No. EDMA holds Zero Data Retention contracts with Anthropic (Claude), OpenAI, and Google (Gemini). Your prompts and AI responses are not retained by providers beyond the API call duration and are not used for training. Local Gemma 4 E4B — our resilience floor — runs on infrastructure controlled by EDMA, or by you in air-gapped deployment.

Q · 05

Can we use our own AI provider keys?

Yes — at Enterprise tier. Bring Your Own Key (BYOK) supported for Anthropic, OpenAI, Google, and approved customer-hosted LLM inference endpoints. AI prompts route through your provider account, billed to you directly. EDMA never sees the API key — it lives in your KMS and is wrapped on each request.

Q · 06

What about AI hallucinations in financial or legal contexts?

AI products operating on financial or legal contexts (Legal AI, Accounting AI) include confidence scoring, human review workflows for high-stakes actions, and audit chains for every AI-generated artifact. Outputs are draft-mode by default; human approval is required before send or commit. The audit chain is the record of who reviewed what, when, and on what basis.

Group 03Operational security3 questions

Q · 07

How are user credentials stored?

bcrypt with cost factor 12 (adaptive). Password reset uses single-use, time-limited tokens. Passkeys (WebAuthn) recommended over passwords on every tier. SSO recommended over local credentials at Business+ tier — passwords disabled at the workspace level when SSO is enforced.

Q · 08

How do you handle administrative access to production?

Just-in-time (JIT) elevation required for all production access — no standing access. Multi-person approval for production changes affecting customer data. Recorded sessions for all production database access. Quarterly access reviews. Privileged Access Management (PAM) via [TBD vendor].

Q · 09

What's your secure software development lifecycle?

Threat modeling at design phase. Mandatory code review by 2+ engineers. Automated security testing (SAST, SCA, DAST) in CI. Dependency vulnerabilities tracked and patched within SLA: P1 24h · P2 7d · P3 30d. Secrets never in source code — scanned pre-commit and post-merge. Annual secure coding training for all engineers.

Group 04Compliance specifics3 questions

Q · 10

Are you GDPR compliant?

Yes. EDMA serves as Data Processor for customer-supplied data (or Data Controller for user account data). Standard DPA included in Business+ contracts. Customer-specific DPAs negotiated at Enterprise tier. Data Subject Access Requests (DSAR) supported via in-product workflow with 30-day response SLA.

Q · 11

Do you support data residency for [specific country]?

Standard regions: US (Virginia), EU (Frankfurt), APAC (Singapore). Sovereign tier (Enterprise) supports any AWS, GCP, or Azure region — approximately 25 regions globally. Specific country requirements (Russia, China, India data localization) require an Enterprise custom deployment; contact sales for scoping.

Q · 12

What's the breach notification SLA?

Customer notification within 72 hours of confirmed breach affecting their data, per GDPR Article 33. Material breaches publicly disclosed via status page within 7 days of confirmation. Detailed post-incident report within 30 days. Customer-specific notification timing available under custom Enterprise contracts (e.g. 24-hour notification for regulated financial customers).

NEXT STEP

Get the security review package.

Three tracks. Pick the one that fits where your evaluation is — preliminary read-through, executed-NDA deep dive, or direct conversation with security engineering.

Track APUBLIC · NO NDA

Self-serve review package

Public artifacts available without NDA. Read end-to-end in 30 minutes. Suitable for early-stage vendor evaluation.

SOC 2 Type II executive summary

ISO 27001:2022 certificate

Sub-processor list · current quarter

Pen test executive summary

DPA template · standard form

Download PDF bundle →

Track BNDA-PROTECTED

NDA-protected review package

Triggers a standard mutual NDA via DocuSign. Delivered within 2 business days of execution. Suitable for active procurement.

SOC 2 Type II full report

ISO 27001 Statement of Applicability

Penetration test full reports

Custom DPA template

Incident response playbooks (redacted)

Request NDA package →

Track CENTERPRISE

Security engineering consultation

60-minute call with EDMA's security engineering team. Suitable for complex requirements and custom-deployment scoping.

Deployment architecture review

Custom requirements scoping

BYOK / HYOK options walkthrough

Audit scope & cadence

Regulatory-specific compliance

Book 60-min consultation →

Direct contact

[email protected]

For coordinated vulnerability disclosure, urgent security inquiries, or anything that needs to bypass general sales. Monitored 24/7 by the on-call security engineer. Encrypt sensitive communications using the PGP key shown to the right.

PGP key · [email protected]

FINGERPRINT · [TBD — 40-CHAR HEX]-----BEGIN PGP PUBLIC KEY BLOCK----- Version: edma-trade-os v2026.05 [ Public key block — published at edma.trade/.well-known/security.txt ] [ TBD: full ASCII-armored block to be inserted here at production ] [ TBD: key rotation policy — annual, with 90-day overlap ] -----END PGP PUBLIC KEY BLOCK-----