Security & Trust
Green Trace AI processes operational data — utility bills, invoices, fuel records, and the resulting emissions calculations — on behalf of UK companies preparing audit-ready disclosures. This page explains what that looks like in practice. It is intended for the finance, compliance, and IT leads who will be evaluating us.
Our primary database, authentication, and document storage run on Supabase, in the eu-west-1 (Ireland) region. Customer data is stored within the EU. The platform layer (Vercel) operates a global edge network for static content; dynamic application traffic for UK and EU customers is served from European edge regions where possible.
All traffic to and from the application is encrypted in transit via TLS 1.2 or higher. Data at rest in our Supabase database is encrypted using AES-256. Authentication secrets are hashed, not stored in plaintext.
Customer accounts use email-based magic-link authentication backed by Supabase Auth. Sessions are managed via secure, HTTP-only cookies. Internally, no Green Trace AI staff member has standing access to customer data; access is granted only when investigating a specific support ticket and is logged.
We disclose every external service that processes customer data on our behalf. We will give written notice before adding a new sub-processor and provide an opportunity to object.
When you upload a utility bill or invoice, the file is stored in Supabase Storage in the EU region. Document text is extracted and the relevant structured fields (e.g. supplier, billing period, kWh, total cost) are written to the database. The original file remains accessible to you and can be deleted on request.
The database is backed up automatically by Supabase. On termination of a customer account, data is deleted within 30 days of the request, excluding any minimal records we are required to retain for tax, accounting, or fraud-prevention purposes under UK law. Backups are purged on a rolling basis after retention expires.
We process personal data in accordance with UK GDPR and the Data Protection Act 2018. Customers acting as Data Controllers can rely on our Data Processing Agreementfor the formal Article 28 terms. Data subjects retain full rights of access, rectification, erasure, restriction, and portability under Articles 15–20.
Where data is transferred outside the UK or EEA — for example, when extraction calls are made to the Anthropic API — we rely on appropriate safeguards including the UK International Data Transfer Addendum (IDTA) and EU Standard Contractual Clauses where applicable.
In the event of a personal data breach affecting customer data, we will notify the affected customer without undue delay and, where required, the UK Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach.
Green Trace AI is at an early stage and does not yet hold formal third-party certifications such as ISO 27001 or SOC 2. Recognised UK baselines such as Cyber Essentials are on our roadmap as the customer base grows. The controls described above are designed to align with the practical expectations of mid-market UK SME buyers and their auditors.
If you believe you’ve found a security issue, please email security@greentraceai.co.uk with details. We’ll acknowledge within 2 business days and work with you to resolve it. Please give us a reasonable window to remediate before any public disclosure.
Anything else? Email hello@greentraceai.co.uk or read our methodology page for how the calculations themselves are done.