A SOC-2 report says you have policies and that an auditor checked the policies are followed. It does not say your software is secure. We earn both, every year, and we still don't think they're sufficient. Here's what actually keeps Tracket secure — and what compliance theatre would have you believe instead.
I've been the person on the buyer side of this conversation, and I've been the person on the vendor side. The buyer-side conversation usually goes: "Send me your SOC-2 report and your security questionnaire." The vendor sends a 47-page PDF nobody reads, and the deal moves forward. This is theatre.
What audits actually do
Audits are useful. They force you to write things down. They force you to enforce least-privilege access. They force you to rotate keys quarterly even when nobody's pushing for it. The discipline is the point — not the certificate.
- SOC-2 Type II — you have controls AND you've operated them for >=6 months.
- ISO 27001 — you have an Information Security Management System (ISMS) that ISO recognises.
- ISO 27701 — you extend the ISMS to privacy controls.
- HIPAA / BAA — for customers in healthcare. We sign BAAs on Enterprise.
What audits don't do: prove your software is free of vulnerabilities, prove your data centres are physically secure, or prove that your incident response is fast. For those, you need different tools.
An audit proves the discipline. It does not prove the result.
What we actually do
Tracket's security programme has six layers, in roughly the order of how often we exercise them:
- Code review. Every PR. Two human approvers for security-sensitive paths. Static analysis on every commit.
- Bug bounty. Live since 2020. 24-hour triage SLA. We've paid out 880 reports; the median pays in three business days.
- Penetration testing. Annual full-stack pentest by a Big Four firm. Quarterly targeted pentests on new surfaces.
- Drills. Quarterly tabletop exercises for incident response. Annual full DR drill where we cut over the primary region.
- Postmortems. Public for any customer-impacting incident. Internal-only for near-misses.
- Customer-managed keys. Enterprise customers can BYOK. Tracket loses access to your data if you revoke them.
What we worry about
Three things keep me awake. Supply-chain attacks against the dependencies our build pipeline trusts. Insider risk from privileged engineering access. And the slow erosion of "default secure" as the codebase grows. We have specific countermeasures for each, but the honest answer is: we are never done. Security is a posture, not a project.
If you're evaluating Tracket for a security-sensitive workload, our team will jump on a call to walk you through any of this. Or read the full Trust & compliance page. Both work.
— TRUST CENTRE: SECURITY DETAILS →