Security & Trust

Defence-in-depth, audited annually.

An honest account of how we protect your data — what we do, what we audit, and what we worry about.

SOC-2 TYPE II ISO 27001 ISO 27701 HIPAA / BAA GDPR CCPA PCI DSS L1 99.99% SLA

Six pillars

How we approach defence-in-depth.

01 / ENCRYPTION

In transit & at rest

AES-256 at rest. TLS 1.3 in transit. Certificate pinning on mobile. Forward secrecy on every connection.

02 / RESIDENCY

Region-locked storage

Pick EU, US or APAC at workspace creation. Enterprise plans get region-locked storage with audit-proof guarantees.

03 / KEYS

Customer-managed

Enterprise BYOK via AWS KMS, GCP KMS or HSM. Revoke access in seconds; we lose access too.

04 / ACCESS

Just-in-time

Engineering access to customer data is JIT, recorded, and reviewed. No standing access. No back doors.

05 / TESTING

Pentest & bounty

Annual full-stack pentest by a Big Four firm. Public bug-bounty programme with 24-hour triage SLA.

06 / RESPONSE

Drilled quarterly

Quarterly tabletop incident drills. Annual full DR cutover. Postmortems published for any customer-impacting incident.

Audits & reports

SOC-2 II · 2026

Audited by Coalfire. Available on request to customers and prospects under NDA. Updated April 2026.

ISO 27001 · 2026

Issued by BSI, recertified annually. Covers all Tracket systems and offices.

PENTEST · Q1 2026

Q1 2026 full-stack pentest by KPMG. No critical or high-severity findings. Summary report available on request.

BUG BOUNTY

880 valid reports paid out since 2020. Median triage time 14h. Hall of fame at security.html#bounty.

DPA · GDPR

GDPR-compliant DPA available to all paying customers. Counter-signed copies auto-generated when you upgrade to Standard or above.

HIPAA · BAA

Available on Enterprise. Includes ePHI segregation, audit-log access, and customer-managed key requirements.

We pay for valid security reports. 24-hour triage SLA. Hall of fame for first-finders.