Security at Trackera

Trackera takes the security of our customers' data very seriously. We run our entire platform on Amazon Web Services (AWS), leveraging AWS’s robust security measures and compliance certifications. We also ensure full compliance with the EU General Data Protection Regulation (GDPR), applying industry best practices to protect data and safeguard user privacy. This means we enforce strong data protection controls and respect user privacy rights (such as the right to be forgotten and data portability). If you have any questions or feedback about our security measures, please reach out to us at security@trackera.io – we’re happy to help.

Cloud Infrastructure and AWS Services

All of Trackera’s services run in the cloud – we do not host any physical servers ourselves. Our platform is built entirely on AWS infrastructure, which provides world-class security and reliability. By building on AWS, Trackera inherits the benefits of AWS’s secure data centers and network architecture. (Notably, AWS maintains dozens of internationally recognized security certifications and frameworks, from ISO 27001 to SOC 2 and more). We utilize multiple AWS services to ensure a scalable and secure system, including:

- Amazon EC2: We run our application on Amazon EC2 virtual servers within a secure Virtual Private Cloud. This gives us fine-grained control over network access and allows us to quickly scale or replace servers as needed.

- Amazon S3: We use AWS S3 for data storage and backups. All files and backups stored in S3 are encrypted at rest by AWS and transmitted over secure connections, keeping your data safe.

- Amazon SES: Trackera relies on Amazon Simple Email Service (SES) to send out emails (for example, verification emails or reports) in a secure and trusted manner. This ensures important emails are delivered reliably while adhering to security protocols.

- AWS IAM: We manage access to our cloud resources using AWS Identity and Access Management (IAM). IAM allows us to enforce the principle of least privilege – each service and administrator has only the minimum permissions necessary. All access keys and credentials are tightly controlled and rotated regularly for safety.

- AWS Bedrock: For Trackera’s AI-powered features (like automatically creating time entries from Jira tickets), we use AWS Bedrock. This service enables us to utilize advanced AI models entirely within AWS’s secure environment, so any data processed by our AI features stays protected by AWS’s safeguards.

Network Security & DDoS Protection

Network-level security is a critical part of our infrastructure. All Trackera servers are hosted in an isolated AWS Virtual Private Cloud (VPC), and we configure strict security group firewalls to control incoming and outgoing traffic. Only the necessary ports and services are exposed, minimizing our attack surface. We also rely on AWS’s built-in defenses against network attacks – AWS Shield Standard provides automatic protection against common Distributed Denial of Service (DdoS) attacks at no extra cost. This means that AWS is continually monitoring and mitigating common network floods or malicious traffic aimed at our platform. Thanks to these measures, and regular system updates and patches, our infrastructure remains resilient against network-based threats. For additional protection, we continuously monitor network traffic for unusual patterns and will quickly respond to any potential DdoS events using AWS tools and best practices.

Data Encryption

Protecting customer data both in transit and at rest is a top priority for Trackera. All data in transit between your device and our servers is encrypted using Transport Layer Security (TLS, the protocol behind HTTPS). This ensures that any information you send to Trackera (or we send back) is protected from eavesdropping or tampering while it travels over the internet. We use strong encryption ciphers and regularly update our TLS configurations to align with industry best practices.

Likewise, all data at rest is encrypted. Our application data, whether stored in databases or in S3, is protected using AWS’s server-side encryption. AWS automatically encrypts data stored on disk with proven encryption algorithms (for example, AES-256). In practice, this means that even if someone were to access the physical storage media, they could not read your data without the proper decryption keys. Backup files are also encrypted. By encrypting data both in transit and at rest, we add multiple layers of defense to keep your information safe from unauthorized access.

Data Backup & Disaster Recovery

We understand that data availability and integrity are just as important as data security. Trackera performs daily backups of all critical customer data. These backups are securely stored in AWS (using services like S3), and they are themselves encrypted to prevent unauthorized access. We regularly test our backup restoration process by attempting to restore from backups on a scheduled basis, to confirm that our data recovery procedures work effectively. In the event of any data loss or corruption, these backups allow us to quickly restore the latest information with minimal downtime.

Because our platform runs on AWS, we benefit from AWS’s highly resilient infrastructure. Routine hardware failures (for example, a failed disk or server) are handled transparently by AWS, with redundant systems ensuring that our application keeps running. We deploy our application across multiple availability zones when possible, so that even if one data center experiences an issue, Trackera can continue operating from another zone without interruption.

We also prepare for larger-scale incidents. The most extreme scenario would be an AWS region-wide outage affecting our primary hosting region. While such events are rare, we have plans in place to recover in an alternate region if necessary to keep Trackera available. Our disaster recovery plan is regularly reviewed and updated as our infrastructure evolves. By combining frequent backups, encrypted off-site storage, and the inherent reliability of AWS, we aim for robust business continuity even in the face of unforeseen events.

Application Security and Development Practices

Security is woven into our software development and deployment process. Our engineering team follows secure development best practices to prevent vulnerabilities in our codebase. This includes keeping all our frameworks and dependencies up-to-date and auditing them for known security vulnerabilities. We perform code reviews for critical changes, where at least one other experienced developer examines the code for potential security issues or logic errors before it’s merged. Trackera’s developers are well-versed in common security guidelines such as the OWASP Top 10, and we strive to write code that is safe from issues like SQL injection, cross-site scripting (XSS), and other threats.

We also utilize automated tools to scan our application for vulnerabilities on a regular basis. This may include dependency scanning (to catch outdated libraries with known issues) and periodic security scans of our application’s endpoints. In addition, we have extensive logging and monitoring in place. Our system logs important events and errors in detail, creating an audit trail of all key actions. These logs are monitored for any anomalies that could indicate a security issue. For example, we track authentication attempts, privilege changes, and other sensitive operations. Unusual activity triggers alerts so our team can investigate promptly. By proactively monitoring our application and infrastructure, we can detect and respond to potential issues before they impact our users.

Responsible Disclosure of Vulnerabilities

Despite our best efforts, no system is immune to bugs or security gaps. Trackera welcomes feedback and reports from security researchers or customers who discover potential vulnerabilities in our platform. If you believe you’ve found a security issue, we encourage you to report it to us immediately in a responsible manner. Please contact us at security@trackera.io with the relevant details (including steps to reproduce the issue or a proof-of-concept, if available). We pledge to address the problem as quickly as possible and will keep you updated on our progress. We also commit that we will not take legal action against anyone who identifies and reports a vulnerability to us in good faith, provided they do not exploit the vulnerability beyond testing and give us a reasonable opportunity to fix it. Your efforts to help us improve the security of Trackera are greatly appreciated, and they ultimately benefit the entire user community.

Internal Access Controls & Policies

Trackera maintains strict internal security policies to ensure that customer data is only accessible to authorized personnel. Access to production systems and databases is highly restricted – only two core team members (our founder/CEO and our lead technical specialist) have administrative access to the production environment. We enforce multi-factor authentication (MFA/2FA) for any access to sensitive systems or AWS accounts. In practice, this means that even those two authorized individuals must verify their identity through an additional security factor (such as an authenticator app code) before gaining access, which helps prevent account compromise.

We use AWS Identity and Access Management to define fine-grained permissions for our team. Each person is given a unique user account with the least privileges necessary for their role. All infrastructure access is logged, and we monitor these logs to audit any changes or access to production resources.

In addition, we have company-wide policies to uphold security:

  • Confidentiality Agreements: Every team member at Trackera is required to sign a confidentiality and non-disclosure agreement, which legally binds them to protect customer information. We also train our staff on data privacy and security practices so that they understand the importance of handling data properly.
  • Employee Vetting: We carefully vet and trust any individual who is granted access to sensitive data. Given our small team, this means only senior, trusted personnel handle production credentials. As we grow, we will continue to perform background checks or other verification for roles that involve access to customer data.
  • Least Privilege Principle: We follow the principle of least privilege for both systems and people. Access to customer information or critical systems is granted only to those who absolutely need it to perform their job. For example, our support staff or developers work with anonymized or test data whenever possible, and only the core operations engineers can access live production databases – and even then, only through secure methods.
  • Documented Procedures: Trackera has documented security procedures and guidelines that our team abides by. This includes how to handle user data, how to respond to security incidents, and how to safely develop and deploy code. We regularly review and update these internal policies to adapt to new threats and to ensure compliance with evolving best practices.

Compliance and Data Privacy

We know that many of our customers (especially our business clients) need to ensure Trackera meets their own compliance requirements. Data privacy laws and industry regulations are not an afterthought for us – they are central to how we operate.

GDPR: Trackera is fully compliant with the General Data Protection Regulation (GDPR), the European Union’s strict data privacy law. GDPR compliance means we safeguard personal data of individuals in the EU and provide mechanisms for our users to exercise their rights over their data. For instance, any user (or an employee of a business client) can request access to their personal data that Trackera stores, ask for corrections, or request deletion of their data (the “right to be forgotten”) and we will promptly honor those requests. We only collect and process personal data for legitimate purposes of providing our service, and we do so transparently and securely. Trackera also offers a Data Processing Agreement for business customers who require it for GDPR compliance. For more details on our privacy practices, please see our Privacy Policy or contact us – we’re happy to discuss how we protect user data.

Security Standards and Certifications: At this time, Trackera has not pursued formal security certifications such as ISO/IEC 27001 or SOC 2 yet. We have focused on implementing strong security controls in line with these standards, even if we don’t have the certificate on the wall. It’s important to note that our infrastructure provider, AWS, is certified for ISO 27001, ISO 27017, ISO 27018 and many other standards. This means the data centers and core services we rely on have been independently audited and verified to meet rigorous security requirements – a solid foundation upon which we build our own security program. In the future, as Trackera grows, we plan to undergo audits for frameworks like ISO 27001 or SOC 2 to provide additional assurance to our customers. In the meantime, we remain committed to maintaining high security standards and complying with all relevant regulations (such as GDPR, as described above, and other regional data protection laws as applicable).

By leveraging AWS’s compliance and following best practices, Trackera strives to meet the expectations of even the most security-conscious clients. We want you – whether you are a business owner, an IT specialist evaluating our service, or a legal advisor reviewing our policies – to feel confident that Trackera protects your data with utmost care. We will continue to improve and invest in security as our platform and user base grow, ensuring that your data remains safe with Trackera.