Legal
Security
Last updated: July 1, 2026
This page is maintained by Afftrack.dev to describe the security controls we operate today. It is not a certification.
Infrastructure
- Hosted on globally distributed edge infrastructure with automatic failover.
- Managed Postgres database with encryption at rest (AES-256) and daily backups.
- Isolated per-workspace data with row-level security enforced at the database layer.
Encryption
- TLS 1.2+ for all traffic between browsers, our API, and postback endpoints.
- Secrets and credentials stored in a managed secret store, never in application code.
Access control
- Role-based access to production; least-privilege by default.
- Mandatory 2FA for all team members with production access.
- Full audit logging of administrative actions.
Application security
- Input validation and typed schemas on every server endpoint.
- Signed, verified webhooks for external callers.
- Automated dependency scanning and regular patching.
Monitoring and incident response
- 24/7 uptime and error monitoring.
- Documented incident response plan; customer notification within 72 hours of a confirmed personal data breach.
Compliance posture
GDPR ready. SOC 2 Type I in progress. We are happy to complete customer security questionnaires for paid plans.
Report a vulnerability
Email support@afftrack.dev. We acknowledge reports within 2 business days and will not pursue legal action against good-faith researchers who follow responsible disclosure.
