Security & compliance

Security as a default, not a tier.

Every TrackOfferz customer gets the same posture — encryption, audit trails, PII handling — regardless of plan.

Start free trial Talk to security

Security posture

  • SOC 2 Type IIIn progress (Q4 2026)
  • GDPR alignmentActive
  • CCPA alignmentActive
  • PCI complianceN/A — we don't store card data
The pillars

How we protect your data

Six pillars covering the lifecycle from click ingestion to payout dispatch.

Encryption everywhere

TLS 1.3 in transit, AES-256 at rest. Every datastore volume encrypted end to end.

  • TLS 1.3 with HSTS
  • AES-256 disk encryption
  • Encrypted backups in S3 with KMS

Authentication

Memory-hard password hashing, server-side sessions with instant revocation, and granular MFA.

  • Memory-hard password hashing (64MB / 3 iterations)
  • HttpOnly + Secure + SameSite cookies
  • Instant server-side session revocation
  • TOTP MFA — schema ready, wiring in progress

PII handling

Outbound postbacks hash email + phone before dispatch when configured. CAPI integrations follow their hashing requirements out of the box.

  • SHA-256 + per-tenant pepper for email
  • E.164 normalize then SHA-256 for phone
  • Per-destination opt-in for hashing

Audit logging

Append-only audit table records every privileged action — admin overrides, impersonation, payout fires, manual replays.

  • Immutable AuditLog with user + org + IP
  • Every state-changing action recorded
  • Per-org log retention (configurable)

Data isolation

Every table tenant-scoped by org_id. Updates and deletes enforced with row-level predicates server-side.

  • Row-level tenant scoping on every write
  • updateMany({where: {id, orgId}}) pattern enforced
  • No cross-tenant queries possible

Infrastructure

Our tracking edge runs on the origin behind a global CDN proxy for TLS and DDoS filtering. Data stores are firewalled to the host.

  • Origin-owned edge — no third-party serverless runtime
  • Global CDN proxy for TLS + DDoS filtering
  • All datastores bound to localhost only
  • Per-IP rate limits on all auth endpoints
On the roadmap

What’s coming next

Q3 2026

SOC 2 Type II audit

Independent audit firm, full Type II report available to enterprise customers under NDA.

Q4 2026

HIPAA alignment

Available on enterprise tier for healthcare-adjacent verticals.

Q4 2026

Bug bounty program

Public program via HackerOne, with payout tiers up to $5k for critical issues.

Due diligence

Security questions?

Reach out — we’ll get you our SOC 2 status, DPA template, and any other docs you need.

Talk to securityStart free trial