Legal

Security

Last updated: July 1, 2026

This page is maintained by Afftrack.dev to describe the security controls we operate today. It is not a certification.

Infrastructure

  • Hosted on globally distributed edge infrastructure with automatic failover.
  • Managed Postgres database with encryption at rest (AES-256) and daily backups.
  • Isolated per-workspace data with row-level security enforced at the database layer.

Encryption

  • TLS 1.2+ for all traffic between browsers, our API, and postback endpoints.
  • Secrets and credentials stored in a managed secret store, never in application code.

Access control

  • Role-based access to production; least-privilege by default.
  • Mandatory 2FA for all team members with production access.
  • Full audit logging of administrative actions.

Application security

  • Input validation and typed schemas on every server endpoint.
  • Signed, verified webhooks for external callers.
  • Automated dependency scanning and regular patching.

Monitoring and incident response

  • 24/7 uptime and error monitoring.
  • Documented incident response plan; customer notification within 72 hours of a confirmed personal data breach.

Compliance posture

GDPR ready. SOC 2 Type I in progress. We are happy to complete customer security questionnaires for paid plans.

Report a vulnerability

Email support@afftrack.dev. We acknowledge reports within 2 business days and will not pursue legal action against good-faith researchers who follow responsible disclosure.