HomeProductShowcaseDemonstrationContact Us
Sign In
Last updated March 20, 2026

Security

Your flip data is sensitive. We take security seriously at every layer — from encryption and authentication to infrastructure and access control.

How We Protect Your Data

Encryption at Rest & in Transit

All data stored in Trackly is encrypted at rest using AES-256. Every connection between your browser and our servers uses TLS 1.3. Your data is never transmitted or stored in plaintext.

Authentication & 2FA

Trackly uses industry-standard authentication via Supabase Auth. Two-factor authentication (2FA) via email OTP is available and recommended for all accounts. Session tokens are short-lived and rotated automatically.

Infrastructure Security

Trackly runs on SOC 2 Type II certified infrastructure. Our database is isolated behind a private VPC with no public internet access. Automated backups run daily and are stored in a separate geographic region.

Row-Level Security

Every database query is governed by Row-Level Security (RLS) policies. This means users can only ever read or write their own data — no cross-account data leakage is architecturally possible.

No Data Sharing or Advertising

Your financial data is never sold, shared with advertisers, or used for any purpose other than running your Trackly account. We have no ad-based business model — ever.

Secret Management

API keys and secrets are stored in isolated environment vaults and injected at runtime via Supabase Edge Function secrets. They are never committed to source code or exposed client-side.

Engineering Practices

  • Security vulnerabilities are triaged within 48 hours
  • Dependencies are reviewed and updated monthly
  • Code changes go through peer review before deployment
  • Automated vulnerability scanning on every build
  • Incident response plan with < 4hr notification SLA for critical issues
  • Penetration testing performed annually by a third party

Responsible Disclosure

Found a security vulnerability in Trackly? We appreciate responsible disclosure. Please email us with a clear description of the issue — include steps to reproduce if possible. We will respond within 48 hours and keep you updated throughout the remediation process.

We ask that you do not publicly disclose vulnerabilities until we have had a reasonable time to investigate and patch them. We will credit researchers who help us improve Trackly's security.

security@trackly.app