Security at TrackNCloak

Protecting your data is not just a feature — it is foundational to everything we build.

Your Data Belongs to You

We process your tracking data solely to provide reports. We never sell, share, or monetize your campaign data.

Defense in Depth

Multiple layers of security across infrastructure, application, and processes. No single point of failure.

Transparency

We are open about our security practices so you can make informed decisions about trusting us with your business.

Infrastructure Security

Cloud Hosting

TrackNCloak runs on Hetzner Cloud, a German-engineered cloud provider with ISO 27001 certification and SOC-audited data centers. Servers hosted in Asia-Pacific (Singapore).

  • Dedicated virtual private servers with isolated compute resources
  • Automated security patches and OS updates
  • Firewall rules restricting access to necessary ports only
  • SSH key-only authentication (no password access)

CDN & DDoS Protection

All traffic passes through Cloudflare, providing:

  • Global CDN for fast page loads worldwide
  • Enterprise-grade DDoS protection
  • Web Application Firewall (WAF) rules
  • Automatic HTTPS with TLS 1.3
  • Bot management and rate limiting at the edge

Database

Data stored in Neon PostgreSQL, a managed database service:

  • Encryption at rest (AES-256) and in transit (TLS)
  • Automated daily backups with point-in-time recovery
  • Network-level isolation — not accessible from public internet
  • SOC 2 Type II compliant infrastructure

Application Security

Authentication

  • Passwords hashed with bcrypt (high work factor)
  • JWT-based sessions with secure, httpOnly cookies
  • Email verification required for all accounts
  • Secure, time-limited password reset tokens

Authorization

  • Workspace isolation — users cannot access other workspaces
  • Role-based access with distinct permission levels
  • Server-side plan-based feature gating

Data Handling

  • HTTPS everywhere with HSTS enforced
  • Input validation via Prisma ORM (prevents SQL injection)
  • Built-in XSS protection via Next.js
  • API rate limiting to prevent abuse

Supply Chain

  • Dependencies audited for known vulnerabilities
  • Built on well-maintained OSS (Next.js, Prisma, NextAuth)
  • Build pipeline with integrity checks

Payment Security

TrackNCloak uses Razorpay for all payment processing. We never see, store, or process your credit card numbers.

  • PCI DSS Level 1 compliant (highest level)
  • Card data goes directly from your browser to Razorpay
  • Secure, HTTPS-encrypted checkout sessions
  • Subscription management processed securely through Razorpay

Data Retention

  • Active accounts: Data retained for the lifetime of your account, subject to your configured retention settings.
  • Deleted accounts: Data permanently removed within 30 days of account deletion.
  • Backups: Retained up to 30 days for disaster recovery, then permanently deleted.
  • Configurable: Set retention periods in your dashboard to auto-purge old tracking data.

Responsible Disclosure

If you discover a security vulnerability, please disclose it responsibly:

Email: help@trackncloak.com
Subject: Security Vulnerability Report - [Brief Description]

Our Commitment

  • Acknowledge your report within 24 hours
  • Investigate and provide a resolution timeline
  • No legal action against responsible researchers
  • Credit you (if desired) when resolved

Questions about our security practices? Contact help@trackncloak.com