Beta Release of TrackOrigin is live. We are still running verifications throughout June.
CONTACT · TRACKORIGIN · 2026 · EN
[ CONTACT · TRACKORIGIN · 2026 ]

TALK TO
THE RIGHT
CHANNEL.

TrackOrigin works across artists, labels, distributors, DSPs, rights organisations, sync teams, press, standards bodies, regulators and security reviewers. Send one routed message — pick your business unit from the dropdown and the request reaches the correct team.

Send a message Operational context
TYPICAL RESPONSE
<48hr
SECURITY ACKNOWLEDGMENT
<24hr
ASYNC COVERAGE
24/7
DATA RESIDENCY
EU·US·AU·SG
[ §01 — SEND A MESSAGE ]

SEND A MESSAGE.

One routed form for every business unit. Choose who you are from the dropdown — your message is routed straight to the right team, with the response time and protocol that role requires.

Use this form for any inquiry — artist verification, catalogue review, platform integration, standard adoption, partnership, press, legal, data protection, regulator or standards-body inquiry, or general questions. The business-unit dropdown decides which team picks up the message and the response SLA that applies.

For coordinated security disclosure with PGP encryption, see §03 Security & Vulnerability Disclosure below — that channel runs a separate protocol with a 24-hour acknowledgment commitment.

[ HEADQUARTERS ]
SYDNEY, AUSTRALIA

Business hours: Monday – Friday · 09:00 – 18:00 AEST (UTC+10)
Asynchronous channels are monitored continuously.

USE YOUR WORK / ARTIST / ORGANISATION EMAIL WHERE POSSIBLE.
YOUR MESSAGE IS ROUTED TO THE TEAM HANDLING THIS BUSINESS UNIT.
UP TO 5,000 CHARACTERS.
[ §02 — WHAT TO CONTACT US ABOUT ]

WHAT TO CONTACT US ABOUT.

TrackOrigin is designed for anyone who needs stronger proof around human-made, human-led or AI-assisted music origin. That includes individual artists, artist managers, independent labels, major labels, distributors, DSPs, rights bodies, sync teams, catalogue buyers, press, platform policy teams, data protection authorities and AI-regulatory offices.

The most useful requests include verification onboarding, catalogue verification, metadata integration, standard adoption, API review, security disclosure, regulator coordination, legal or compliance review and media inquiries.

  1. 01

    Verify one track or a full catalogue.

  2. 02

    Add TrackOrigin fields to release or ingestion metadata.

  3. 03

    Use the Origin Seal on artist websites, DSP pages, EPKs or profiles.

  4. 04

    Review certificate authenticity, revocation, disputes or abuse.

  5. 05

    Discuss standard adoption with a platform, distributor or label team.

  6. 06

    Make a regulator or data-protection inquiry (EU AI Act, China, US states, GDPR, PIPL).

  7. 07

    Submit a coordinated security disclosure, encrypted or in clear.

[ §03 — SECURITY & VULNERABILITY DISCLOSURE ]

SECURITY &
RESPONSIBLE DISCLOSURE.

TrackOrigin operates a coordinated vulnerability disclosure programme for issues affecting the verification system, the manifest signing infrastructure, the issuer key chain, the certificate verification flow and the Origin Seal embed.

Reports may be sent in clear to support@trackorigin.io or encrypted using the published PGP key. The current public key fingerprint, key ID and machine-readable security policy are available at:

  • /.well-known/security.txt — RFC 9116 security policy
  • /.well-known/pgp-keys — current PGP key, fingerprint and rotation schedule
  • /.well-known/trackorigin-public-key — Ed25519 signing key for manifest verification

For certificate abuse (fraudulent certificates, impersonation, unauthorized seal use): support@trackorigin.io.

We commit to:

  • Acknowledgment within 24 hours of any security report, including outside business hours.
  • Initial technical assessment within 5 business days.
  • A coordinated disclosure timeline agreed with the reporter.
  • Public credit for responsibly disclosed vulnerabilities, at the reporter's discretion.
  • No legal action against good-faith security research conducted under standard responsible-disclosure norms.

Out-of-scope: social-engineering attacks against TrackOrigin staff, denial-of-service tests against production endpoints, physical attacks on offices, and reports duplicative of previously disclosed issues.

[ §04 — REGULATORS & STANDARDS BODIES ]

REGULATORS, STANDARDS
& COMPLIANCE.

TrackOrigin engages directly with regulators, standards bodies and policy teams worldwide. Inquiries from official bodies are routed through dedicated channels and handled with full chain of evidence — select "Regulator / standards body" on the form above, or write directly.

[ EUROPE ]

European Commission & National DPAs.

EU AI Office (Article 50 transparency), national data protection authorities, European Commission policy teams and EU member-state cultural ministries.

[ UNITED STATES ]

FTC, Copyright Office & State AGs.

Federal Trade Commission, US Copyright Office, state Attorneys General (California, Tennessee, Colorado, others), and federal-level AI policy offices.

[ CHINA & APAC ]

CAC & APAC regulators.

Cyberspace Administration of China (deep synthesis and AI labelling), Japan's METI, South Korea's MSIT, Singapore's IMDA, Australia's OAIC and ACMA.

[ INDUSTRY STANDARDS ]

DDEX, IFPI, CISAC, MLC, C2PA.

Music industry standards bodies, collective management organisations, content provenance coalitions and rights administration consortia.

Data protection officer. Inquiries under GDPR, CCPA, the Australian Privacy Act and China's PIPL — including subject access, erasure, sub-processor disclosure, data residency and breach notification — are routed to the DPO at support@trackorigin.io and answered within statutory timeframes.

Academic, policy & research engagement. Researchers, journalists, academic partners and public-interest organisations can reach the policy team at support@trackorigin.io. Where the work covers our methodology, the full specification is available under NDA.

[ §05 — OPERATIONAL CONTEXT ]

OPERATIONAL CONTEXT.

PRIMARY OFFICE
SYDNEYAU
BUSINESS TIMEZONE
AESTUTC+10
DATA RESIDENCY
EU·US·AU·SG
ASYNC COVERAGE
24/7

TrackOrigin operates from Sydney with global asynchronous coverage for written channels. Live customer conversations are scheduled within Asia-Pacific business hours; asynchronous channels — security disclosure, written inquiries, API support, regulator coordination — operate continuously.

Enterprise partners (labels, DSPs, regulators) can pin data residency to a specific region at ingestion for compliance with GDPR, the Australian Privacy Act, PIPL or sector-specific requirements. Residency, sub-processor lists and audit interfaces are covered in the enterprise data agreement.

REGISTERED ENTITY · FORMAL CORRESPONDENCE · TO-1.0
[ LEGAL ENTITY ]
TrackOrigin Pty Ltd

Registered in Australia. ACN and ABN published at /legal/entity.

[ REGISTERED OFFICE ]
Sydney, NSW

Full registered office address available on request via support@trackorigin.io for formal service of process.

[ FORMAL CORRESPONDENCE ]
support@trackorigin.io

For formal legal correspondence, serve electronically to the legal channel with a hard-copy duplicate sent to the registered office.