Encryption
All data is encrypted in transit using TLS 1.3 with HSTS enforced on all hostnames. At rest, customer event data is encrypted using AES-256-GCM with per-tenant data keys derived from a master key in our managed KMS. Database backups are encrypted with the same scheme.
Tenant isolation
Each customer’s data lives in a logically isolated namespace at the application layer, with row-level security enforced in PostgreSQL. We do not pool event data across tenants. We do not use customer data to train models, even our own.
Access control
- SSO + MFA required for all internal team access (Sergio is the only team member as of this writing).
- Production database access is gated behind a break-glass workflow with all queries logged.
- No production data is replicated to staging or development environments.
SDLC
Every commit to main runs lint, type check, test suite, and a vulnerability scan against npm packages. Dependencies are pinned, and patch updates are auto-PRed weekly. Production deploys go through Vercel preview deployments first.
Vulnerability disclosure
We publish a security.txt with the security disclosure email, PGP key, and scope. We respond to all reports within 24 hours and ship critical patches within 72 hours. There is no formal bug bounty yet — see changelog roadmap for the planned launch in Q4 2026.
Audit and compliance
SOC 2 Type II audit is in progress with target completion month 14 from the public beta launch. We comply with GDPR and CCPA today. EU data residency is available on the Scale tier (dedicated EU cluster in Frankfurt + Dublin). HIPAA BAA is available on the Enterprise tier.
Sub-processors
See /trust/subprocessors for the live list of every vendor that processes customer data on our behalf.
Incident response
If a security incident affects customer data, we notify affected customers within 72 hours via the email on file, post a public incident report at status.trackrift.com, and (when applicable) report to the relevant data protection authority within the GDPR-mandated window.