Trust · Last updated 5/14/2026

Security & Incident Response

TractOps is a small, focused team. We don't have a multi-million-dollar security program — yet — but we've built the platform on top of vendors who do, and we keep the human-judgment parts simple, written-down, and honest.

Controls in place today

Hosting & infrastructure

• Application runs on Vercel (SOC 2 Type II, ISO 27001).
• Customer data lives in Neon Postgres with encryption at rest and in transit.
• All traffic is TLS 1.3 over HTTPS with HSTS preload enabled.
• Payments are processed by Stripe (PCI-DSS Level 1). We never see card numbers.
• Email sent through Resend with SPF, DKIM, and DMARC alignment.

Application security

• Passwords hashed with PBKDF2 + per-user salt via Web Crypto.
• Two-factor authentication (TOTP, RFC 6238) available for every account.
• Session tokens are httpOnly + SameSite cookies with 24-hour expiry, refresh via signed JWT.
• Rate-limiting on every auth endpoint (login, register, password reset, 2FA, account deletion).
• Input validation with zod schemas on auth + critical routes.
• Content-Security-Policy headers, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Permissions-Policy lock-down on camera/microphone.

Data handling

• Customer data is logically isolated by community in every API route.
• GDPR & CCPA right-to-delete: dashboard → settings.
• Data retention policy is published and machine-readable.
• Production database backups are encrypted and kept 30 days.

Operational controls

• All errors are logged and aggregated via our self-hosted error monitor; new error classes alert support within seconds.
• Uptime is probed daily and recorded; the public status page reflects current state.
• Credentials live in Vercel encrypted env vars + 1Password. No secrets in git.

Incident response process

Our incident response is built around four phases. The team — currently you, our founder — is the entire on-call rotation.

1. Detect

Triggers include: error-monitor alert (new error fingerprint at error/fatal severity), uptime probe failure, customer report via contact@tractops.com, or anomaly in Stripe/Resend dashboards.

2. Triage (within 1 hour for P1, 1 business day for P2/P3)

P1 = production down or active data exposure. P2 = degraded service. P3 = single-user impact. Severity is set within the first hour of detection.

3. Contain & remediate

For P1 we rollback the deploy first (Vercel one-click), investigate after. For data exposure we revoke affected credentials, expire sessions, and isolate the data.

4. Notify & postmortem

For incidents affecting customer data we follow the breach-notification commitments below. Every P1 gets a written postmortem published within 7 days, linked from the status page entry.

Breach notification

If we discover a confirmed unauthorized access to or disclosure of customer personal data, we commit to:

• Notify you within 72 hours of discovery (GDPR Article 33 alignment).
• Notify in writing to the email address on file for your account.
• Tell you what data was affected, when, and what we're doing about it.
• Provide a written postmortem on our status page within 7 days, including root cause and the steps we've taken to prevent recurrence.
• Comply with all applicable state notification laws (e.g., California Civil Code §1798.82), including notification to state attorneys general where required.
• For incidents affecting 500+ residents of any single state, notify that state's AG in addition to affected individuals.

We don't promise to notify you of every failed login attempt, brute-force probe, or security-research scan — those are background noise. Notification is reserved for actual confirmed unauthorized access.

Reporting a vulnerability

Found a security issue? Please email contact@tractops.com with the subject line Security report. We acknowledge within 1 business day and aim to triage within 3 business days.

We don't run a paid bug bounty yet, but we do:

• Acknowledge your report publicly (with your permission) in the security changelog.
• Commit not to pursue legal action against good-faith research that follows responsible disclosure (no DoS, no data exfiltration beyond a proof of concept, no social engineering of staff).

What we're not yet

Honesty matters more than logos. As of today, TractOps is:

• Not SOC 2 audited — our infrastructure providers are; the application layer is not yet. We plan to pursue Type I once we have ~50 paying customers.
• Not HIPAA-eligible — we don't process protected health information. Don't store PHI in the platform.
• Not pen-tested by an external firm. We rely on automated static analysis + dependency scanning until customer demand justifies engagement.

If you need any of these for your community or organization to use TractOps, tell us — your need helps us prioritize.