We are 100% GDPR Compliant.

We adhere to enterprise-level security standards to help our customers ensure a secure environment for their data, and to meet their own compliance regulations. We are 100% GDPR compliant and all data is stored in Frankfurt (Germany) and Amsterdam (Netherlands).

Compliance is our beating heart

We are a platform to manage your sustainability compliance data. Thus, it is in our nature to be a leader in compliance ourselves. We are working with international legal advice around the year, and we closely follow laws and developments regarding data protection and privacy. The system was built up with the latest security standards and on this page, we provide insights into how we achieved this. We are very happy to provide further consultation.
Peter Merkert, CTO & Co-founder of retraced

GDPR compliance overview


Data processing agreement

Our data processing agreement defines the personal data collection at retraced. This includes the type of personal data, their purpose for processing, and their precise storage location. The agreement also includes all subprocessors, which data they hold, our reasoning for processing, and each of their physical data locations. The agreement can be signed by any client of retraced.

Employee training

As part of Art. 5 GDPR joining retraced as an employee requires to commit and sign our information security and data protection form to ensure employees understand the importance of the subject and are contractually bound to follow them. Further, once per year, we are having training for employees to ensure correct handling of customer data also outside of the retraced platform.

Records of processing activities

As to Art. 30 GDPR comprising all details about processing activities, our representative, GDPR data protection officer, the technical and organizational measures for data protection.

Data protection mechanisms

single sign on_Mesa de trabajo 1
Single sign on ready

It is fundamental to ensure your organization has the right access control mechanisms for your employees. Single sign on ensures you can make just-in-time provisions for the employees who should also have access to the retraced application. We support over nearly every identity provider out there, to name but a few: AD FS, Auth0, AAD, Cloudflare, Google, LastPass, Keycloak, JumpCloud, NetIQ, Okta, OneLogin, Oracle, PingOne, Rippling, Shibboleth, VMware, and more.

data protection-04
Encryption in transit and at rest

Your data is always safe with us. Whenever you communicate with the retraced platform, all data is always encrypted with the highest security standards of SSL encryption. All transmission also happens only in the newer HTTP/2 protocol. All data ever submitted into the retraced platform is in addition protected against any unauthorized access by encrypting it at rest with the respective highest security standard per component.

Role based access control

Every piece of data is access controlled with an industry-standard role-based access control mechanism. Every access request requires specific roles assigned to the requester to get access to the information. This standardized mechanism ensures with its simplification extreme transparency into who can access which information.

Redundancy and disaster recovery

Redundancy and disaster recovery are our foundational pillars to create the retraced platform. All our structure is built so that even in case of technical unexpected scenarios (in legal words often referred to as Force Majeure) like regional unavailability, the platform shall work as if nothing has happened. Our database is even replicated in real-time between Frankfurt (Germany) and Amsterdam (Netherlands) to ensure extremely high availability with the top-of-the-class Oracle Cloud Guard technology.

We are not only setting a standard, but we also keep it.


Cloud Guard

We use Oracle Cloud Guard for real-time detection of highest standards of account configurations. The constantly updated Cloud Guard offers instant notification on misconfiguration and insecurities across the cloud setup.

Maximum security zone

All production resources are encapsulated in a dedicated cloud compartment only accessible for selected engineers and 2-factor authentication. In addition, the concept of maximum security zone protects yet even further all production resources against any unwanted change.


Mobile device management (MDM) means all devices handed out by retraced to employees are enrolled in Microsoft Intune Mobile Device Management and can be fully controlled remotely, have all the latest updates, and are encrypted.

Azure Active Directory

All employees in retraced are centrally organized to perfection the user roles right management. The centralization also allows clear application access and fine-grained role access control to different applications.