Security is an invariant,
not an afterthought

All passenger personally identifiable information (PII) — including name and contact details — is encrypted at rest using pgcrypto with AES-256. Encryption and decryption occur inside the database using organisation-scoped keys. Application code never handles plaintext PII.

• pgcrypto AES-256 for all PII fields
• Organisation-scoped encryption keys
• No PII on physical QR tags — UUID only
• API keys stored as SHA-256 hashes only

The cruise line acts as Data Controller; TAGTRAZE acts as Data Processor under Article 28 of GDPR. A Data Processing Agreement (DPA) is included in all plans. All data is hosted in EU data centres — no transatlantic transfers of passenger PII.

• Data Processing Agreement in every plan
• EU-only data hosting — no transatlantic transfers
• Passenger data deletion on request (right to erasure)
• Data retention policies enforced at database level

Every table in the TAGTRAZE database has row-level security (RLS) enabled — with no exceptions. Even if a query is incorrectly constructed, the database enforces tenant isolation. No cruise line can ever read another cruise line's data.

• RLS on every table — no exceptions
• Organisation and cruise line ID checked on every query
• Platform admin access via separate JWT claim
• Support sessions require explicit consent flag

Every action taken in TAGTRAZE — every scan, login, configuration change, and support access — is recorded in an insert-only audit_logs table. Records can never be modified or deleted. The audit trail is exportable for compliance and regulatory purposes.

• Insert-only audit_logs — tamper-evident
• Every scan attributed to an individual crew member
• Support access logged with org_consent timestamp
• Exportable audit reports for port authority requirements

No shared crew accounts are permitted. Every crew member has an individual login with a role assigned (Terminal, Security, Deck, Supervisor, Admin). Roles are enforced at both application and database level through a granular RBAC system with 31 permissions.

• Individual logins only — no shared accounts
• RBAC with 8 system roles and 31 permissions
• Sensitive data stored in expo-secure-store on device
• Session tokens scoped per device and invalidated on logout

TAGTRAZE is designed with maritime operational requirements in mind, including IMO MSC/Circ.1356 guidance on passenger management and port authority reconciliation requirements for embarkation manifest accuracy.

• Manifest reconciliation before departure
• Bag count accuracy reportable to port authority
• Offline operation for poor-connectivity environments
• Automated daily security scans and incident escalation