TrackOfferz
Security & compliance

Security as a default, not a tier.

Every TrackOfferz customer gets the same security posture — encryption, audit trails, PII handling — regardless of plan.

Start free trial Talk to security
14-day free trial No credit card required Cancel any time Self-host or managed

Security posture

  • SOC 2 Type IIIn progress (Q4 2026)
  • GDPR alignmentActive
  • CCPA alignmentActive
  • PCI complianceN/A — we don't store card data
The pillars

How we protect your data

Six security pillars covering the lifecycle from click ingestion to payout dispatch.

Encryption everywhere

TLS 1.3 in transit, AES-256 at rest. Every datastore volume encrypted end to end.

  • TLS 1.3 with HSTS
  • AES-256 disk encryption
  • Encrypted backups in S3 with KMS

Authentication

Memory-hard password hashing, server-side sessions with instant revocation, and granular MFA.

  • Memory-hard password hashing (64MB / 3 iterations)
  • HttpOnly + Secure + SameSite=Lax cookies
  • Instant server-side session revocation
  • TOTP MFA — schema ready, wiring in progress

PII handling

Outbound postbacks hash email + phone before dispatch when configured. Meta/TikTok CAPI integrations follow their hashing requirements out of the box.

  • SHA-256 + per-tenant pepper for email
  • E.164 normalize then SHA-256 for phone
  • Per-destination opt-in for hashing

Audit logging

Append-only audit table records every privileged action — admin overrides, impersonation, payout fires, manual replays.

  • Immutable AuditLog with user + org + IP
  • Every state-changing action recorded
  • Per-org log retention (configurable)

Data isolation

Every table tenant-scoped by org_id. Updates + deletes enforced with row-level predicates server-side.

  • Row-level tenant scoping on every write
  • `updateMany({where: {id, orgId}})` pattern enforced
  • No cross-tenant queries possible

Infrastructure

Our tracking edge runs on the origin behind a global CDN proxy for TLS and DDoS filtering. Data stores are firewalled to the host.

  • Origin-owned tracking edge — no third-party serverless runtime
  • Global CDN proxy in front for TLS termination + DDoS filtering
  • All datastores bound to localhost only
  • Per-IP rate limits on all auth endpoints
On the roadmap

What's coming next

  • Q3 2026
    SOC 2 Type II audit
    Independent audit firm, full Type II report available to enterprise customers under NDA.
  • Q4 2026
    HIPAA alignment
    Available on enterprise tier for healthcare-adjacent verticals.
  • Q4 2026
    Bug bounty program
    Public program via HackerOne, with payout tiers up to $5k for critical issues.

Security questions?

Reach out — we'll get you our SOC 2 status, DPA template, and any other docs you need.

Talk to security Start free trial