Your shop runs on Whitrack. Security is not optional. Here is how we protect your data and your customers' data, at every layer.
Encryption
- TLS 1.2+ for all traffic in transit
- AES-256 at rest for databases, backups, and object storage
- Bcrypt (cost factor 10) for all password hashes
- Session tokens are signed JWTs (HS256, 30-day expiry), stored in HttpOnly, SameSite=Lax cookies
Access control
- Role-based access inside the app (owner / dispatcher / technician / viewer). Every tRPC procedure checks the caller's role.
- Multi-factor authentication enforced on all staff accounts that can access production.
- Least-privilege IAM on all cloud infrastructure.
- All internal access is logged and reviewed.
Application security
- CSP, HSTS, X-Frame-Options, and Referrer-Policy headers on all pages
- CSRF protection on all state-changing routes
- Input validation with Zod on every API boundary
- Parameterized SQL via Drizzle; no raw string concatenation
- Automated dependency scanning and weekly patching cadence for critical vulnerabilities
Infrastructure
- Hosted in AWS, us-east-1 and eu-central-1 regions
- Daily automated backups with 30-day retention
- Point-in-time recovery for the primary database
- Network isolation; databases are never exposed to the public internet
Monitoring and incident response
- 24/7 automated alerting on error rates, latency, and auth anomalies
- Incident response runbook with defined severity tiers and a 72-hour breach notification commitment (see our DPA)
- Status page at whitrack.com/status for real-time component health
Compliance
We are SOC 2 Type II in progress. GDPR, UK GDPR, and CCPA commitments are formalized in our Data Processing Addendum.
Report a vulnerability
We welcome responsible disclosure. Email security@whitrack.com with details and, where possible, a proof-of-concept. We will acknowledge within 1 business day and coordinate a fix. No legal action against good-faith researchers who follow our policy.