Eutopio
中文
Legal

Security Policy

The security architecture, controls, and practices that govern the Eutopio platform and the Axiom traceability ledger.

Security is foundational to Eutopio's mission. We operate the trade architecture layer of the Brazil–China corridor, and the trust of our counterparties depends on our ability to protect their commercial data and shipping records. This document describes the security architecture, controls, and practices that govern the Eutopio platform and the Axiom traceability ledger. Our security program is built on the principle that compliance is architecture, not an afterthought.

Please read this policy carefully and often as it is subject to change.

1. Security Philosophy

Eutopio's security approach is built on three non-negotiable principles that are embedded into every system, process, and engagement we undertake:

Governance First. Compliance is architecture, not an afterthought. Every access, operation, and data movement is governed, auditable, and traceable by design. SSO, RBAC, and full audit trails are standard, not optional add-ons.

Data Sovereignty. Counterparties own their data. Our architecture ensures that your Shipment Data and any operational records remain under your control at all times, including after contract termination. We do not use counterparty data for any purpose beyond contracted service delivery.

Zero Source Modification. Axiom records trade and shipment events as an overlay ledger. It never modifies underlying operational data. This architectural constraint limits the blast radius of any potential security incident and means that adopting Axiom carries no risk to the integrity of your existing operational systems.

2. Infrastructure Security

Cloud Architecture. Eutopio Services are hosted on enterprise-grade cloud infrastructure. All data at rest is encrypted using AES-256. All data in transit is encrypted using TLS 1.2 or higher. Production environments are logically isolated from development and staging environments. Infrastructure is provisioned using Infrastructure-as-Code with full version control and audit trails. Automated vulnerability scanning runs continuously on all infrastructure components.

Data Residency. Counterparty data is stored in geographic regions agreed upon in the applicable Order Form. Eutopio supports regional data residency requirements for counterparties in Brazil, the EU, the Americas, the People's Republic of China, and other jurisdictions upon request.

Availability. Eutopio targets 99.9% platform uptime for Axiom. Redundant infrastructure, automated failover, and quarterly disaster recovery testing support this commitment. Scheduled maintenance windows are communicated with at least 72 hours notice.

3. Access Control

Authentication. Eutopio platform supports Single Sign-On (SSO) via SAML 2.0 and OIDC for enterprise counterparties. Multi-factor authentication (MFA) is required for all Eutopio staff and strongly recommended for all counterparty administrator accounts. Session tokens expire automatically after configurable periods of inactivity.

Authorization. Role-Based Access Control (RBAC) governs all platform access. Permissions are scoped to job function: Executive, Operations Manager, Counterparty Manager, Trade Operator, and Administrator roles. Access to counterparty data is restricted to personnel explicitly authorized by the counterparty, or to Eutopio personnel required for service delivery under a documented need-to-know. Eutopio staff access to counterparty environments is logged, time-limited, and requires manager approval.

Audit Logging. Every operation performed on the Eutopio platform is traceable. Audit logs capture user identity, action performed, timestamp, and affected data objects. Logs are immutable and retained for a minimum of 12 months. Counterparties can access their own audit logs via the dashboard or API at any time.

4. Data Security

Counterparty Data Isolation. Each counterparty's Shipment Data is logically isolated. Multi-tenant architecture enforces strict data boundaries; one counterparty cannot access another's data under any circumstances.

Encryption Key Management. Encryption keys are managed using a dedicated key management service. Counterparty data encryption keys are unique per counterparty and can be rotated on request. Enterprise counterparties may supply their own encryption keys (BYOK — Bring Your Own Key).

Data Export and Deletion. Upon contract termination, Eutopio provides a full export of counterparty data within 30 days of request. Following confirmed export receipt, counterparty data is securely deleted from all Eutopio systems within 90 days, with written confirmation of deletion provided to the counterparty.

Third-Party Integrations. The Eutopio platform integrates with enterprise systems, banking partners, IoT networks, and laboratory systems in read-only or event-recording mode. Integration credentials are stored using secrets management best practices and are never logged or stored in plaintext.

5. On-Site Engagement Security

Eutopio's on-site teams, including trade operators, agronomic specialists, and quality control personnel, adhere to the following protocols during all facility visits:

  • All on-site personnel undergo background screening prior to engagement.
  • Site access credentials and physical security requirements are coordinated with the counterparty's designated point of contact in advance of each visit.
  • Records captured on-site are encrypted immediately on portable devices and transferred to secure Eutopio infrastructure within 24 hours of capture.
  • Portable storage devices used during engagements are hardware-encrypted and remotely wipeable.
  • No counterparty data is retained on personal devices under any circumstances.
  • Eutopio personnel adhere to counterparty-specific safety and security protocols as communicated during engagement onboarding.

6. Application Security

Secure Development Lifecycle. Security requirements are defined at the design phase of every feature. All code undergoes peer review and automated static analysis (SAST) before deployment. Dependency scanning is performed continuously to identify and remediate known vulnerabilities. Production deployments require multi-party approval and are fully logged.

Penetration Testing. Eutopio conducts annual third-party penetration testing of the platform and supporting infrastructure. Executive summary reports are available to enterprise counterparties upon request under NDA.

Vulnerability Management. Critical and high-severity vulnerabilities are remediated within 30 and 60 days respectively following identification and confirmation. Eutopio maintains a responsible disclosure program (see Section 10).

7. Incident Response

Eutopio maintains a documented incident response plan with the following commitments:

Detection. Automated monitoring and alerting for anomalous activity operates 24/7. Our security team is on-call around the clock.

Notification. Affected counterparties are notified within 72 hours of confirming a data incident that may affect their data, in accordance with applicable regulations including LGPD, GDPR, and PIPL requirements.

Containment and Remediation. A dedicated incident response team follows documented playbooks to contain, eradicate, and recover from incidents with minimal disruption to counterparty operations.

Post-Incident Review. Root cause analysis and corrective actions are documented and shared with affected counterparties within 30 days of incident closure.

8. Compliance and Certifications

Eutopio's security program is designed to meet or exceed the following frameworks and standards:

  • ISO/IEC 27001. Information Security Management System (certification in progress).
  • SOC 2 Type II. Security, availability, and confidentiality trust service criteria (audit currently underway).
  • LGPD. Lei Geral de Proteção de Dados (Brazil).
  • GDPR. General Data Protection Regulation (European Union).
  • PIPL. Personal Information Protection Law (People's Republic of China).
  • NIST Cybersecurity Framework. Used as the baseline for enterprise risk management and control selection.

Current compliance status, audit reports, and completed security questionnaires are available to enterprise counterparties upon request under NDA. Please contact security@eutopio.trade to request these materials.

9. Employee Security

All Eutopio employees complete security awareness training upon hire and annually thereafter. Role-specific security training is required for engineers, trade operators, and all counterparty-facing personnel. Access to production systems is provisioned on a least-privilege basis and reviewed quarterly. Employee departures trigger immediate access revocation across all systems on the day of departure. Phishing simulation exercises are conducted quarterly to maintain organizational vigilance.

10. Responsible Disclosure

Eutopio encourages responsible disclosure of security vulnerabilities. If you believe you have discovered a security issue affecting Eutopio services, please contact our security team at security@eutopio.trade.

Our commitments to security researchers acting in good faith:

  • Acknowledgement of your report within 2 business days.
  • Investigation of all credible reports, regardless of severity.
  • Regular updates on investigation progress and remediation timelines.
  • No legal action against researchers following our responsible disclosure guidelines.

Please do not access or exfiltrate counterparty data, conduct denial-of-service attacks, or perform social engineering of Eutopio staff as part of any security research activity.

© 2026 Eutopio do Brasil trading LTDA. All rights reserved. Eutopio and Axiom are trademarks of Eutopio do Brasil trading LTDA.