TrackOfferz
Security & compliance

Security as a default, not a tier.

Every TrackOfferz customer gets the same security posture — encryption, audit trails, PII handling — regardless of plan.

Start free trial Talk to security
14-day free trial No credit card required Cancel any time4.9/5 on G2

Security posture

  • SOC 2 Type IIIn progress (Q4 2026)
  • GDPR alignmentActive
  • CCPA alignmentActive
  • PCI complianceN/A — we don't store card data
The pillars

How we protect your data

Six security pillars covering the lifecycle from click ingestion to payout dispatch.

Encryption everywhere

TLS 1.3 in transit, AES-256 at rest. All Postgres + ClickHouse + Redis volumes encrypted.

  • TLS 1.3 with HSTS
  • AES-256 disk encryption
  • Encrypted backups in S3 with KMS

Authentication

argon2id password hashing, Redis-backed sessions with instant revocation, OAuth SSO on the roadmap.

  • argon2id @ 64MB memory, 3 iterations
  • HttpOnly + Secure + SameSite=Lax cookies
  • Instant session revocation via Redis
  • TOTP MFA — schema ready, wiring in progress

PII handling

Outbound postbacks hash email + phone before dispatch when configured. Meta/TikTok CAPI integrations follow their hashing requirements out of the box.

  • SHA-256 + per-tenant pepper for email
  • E.164 normalize then SHA-256 for phone
  • Per-destination opt-in for hashing

Audit logging

Append-only audit table records every privileged action — admin overrides, impersonation, payout fires, manual replays.

  • Immutable AuditLog with user + org + IP
  • Every state-changing action recorded
  • Per-org log retention (configurable)

Data isolation

Every table tenant-scoped by org_id. Updates + deletes enforced with row-level predicates server-side.

  • Row-level tenant scoping on every write
  • `updateMany({where: {id, orgId}})` pattern enforced
  • No cross-tenant queries possible

Infrastructure

Edge tracking on Cloudflare. Origin services on hardened VPS with WireGuard mesh + firewall rules.

  • Cloudflare edge for click tracking
  • WireGuard between origin services
  • DDoS protection at edge
  • Per-IP rate limits on all auth endpoints
On the roadmap

What's coming next

  • Q3 2026
    SOC 2 Type II audit
    Independent audit firm, full Type II report available to enterprise customers under NDA.
  • Q3 2026
    OAuth SSO
    Google Workspace + Microsoft Entra (formerly Azure AD) + SAML 2.0 for enterprise tier.
  • Q4 2026
    HIPAA alignment
    Available on enterprise tier for healthcare-adjacent verticals.
  • Q4 2026
    Bug bounty program
    Public program via HackerOne, with payout tiers up to $5k for critical issues.

Security questions?

Reach out — we'll get you our SOC 2 status, DPA template, and any other docs you need.

Talk to security Start free trial