Security summary

Hosting and infrastructure

Primary hosting: Google Cloud Platform. Static assets are served from Cloud Storage + Cloud CDN. Core services (AI gateway) run on Cloud Run; ledger metadata and analytics use Cloud SQL or BigQuery depending on scale.

• Encrypted at rest using GCP-managed keys or customer-managed keys where required.
• Regional hosting and data residency options available for enterprise customers.
• Edge caching via Cloud CDN for low-latency static asset delivery.

Encryption and data minimization

Transport: TLS 1.2+ for all network traffic. At rest: encryption using provider-managed or customer-managed keys where applicable. We apply a minimal‑PII principle: provenance traces and analytics are pseudonymized or tokenized where possible to reduce exposure of personal data.

Access control and operations

Role-based access control (RBAC) for internal tools and admin consoles. Services follow least-privilege IAM policies. Admin and validator actions are audit‑logged and monitored. Change control, dependency scanning, and scheduled backups are part of standard operations.

Privacy and compliance

Privacy‑first defaults across the product. We do not sell personal data. We support contractual DPAs and can meet data residency and regulatory requirements for enterprise agreements. Product‑level privacy controls and disclosure are available inside the live product at popilnus.com.

Security practices

• Secure SDLC practices: static analysis, SCA, CI linting, and code reviews.
• Periodic penetration testing and vulnerability assessments (available on request).
• Incident response plan, regular backups, and breach notification procedures aligned with applicable law.

Security contact

Security POC
Security Manager
security@detreck.ca

For detailed security reviews, SOC2 evidence, DPA, or architecture whitepapers, contact the security POC; materials will be provided under NDA.