Built like a bank. Priced like software.
Enterprise-grade security, compliance, and data protection — baked into every layer of Track New.
SOC 2 Type II
Independently audited controls for security, availability, and confidentiality. Report available on request.
AES-256 Encryption
All data at rest is encrypted using AES-256. Passwords are hashed with bcrypt (12 rounds).
TLS 1.3
All data in transit is encrypted with TLS 1.3. HSTS headers enforced across all endpoints.
India Data Residency
Your data is stored in AWS ap-south (Mumbai / Hyderabad). It never leaves India unless you explicitly export it.
SSO & SAML
Enterprise customers can use their existing identity provider. Google Workspace and Azure AD supported.
Role-Based Access Control
9 granular roles with permission-level control. Every action is audited with user, timestamp, and IP.
24x7 Monitoring
Real-time infrastructure monitoring, anomaly detection, and automated incident alerting around the clock.
Daily Backups
Automated daily backups with 30-day retention. Point-in-time recovery available. Cross-region replication for DR.
Pentests & Bounty
Annual third-party penetration testing. Responsible disclosure program for security researchers.
Security in depth
Infrastructure
Track New runs on AWS infrastructure in the ap-south region. Our services are deployed in containerized environments with automated scaling, health checks, and zero-downtime deployments. Network traffic is isolated using VPCs, security groups, and private subnets. All inter-service communication uses mutual TLS.
Application Security
Every API endpoint is protected by JWT-based authentication with short-lived access tokens and secure refresh token rotation. All user input is validated server-side using express-validator. SQL injection is prevented by Prisma ORM's parameterized queries. Rate limiting, CORS policies, and CSP headers are enforced globally.
Access Control
Track New enforces strict multi-tenant data isolation — every database query is scoped by company and branch. 9 role levels from Receptionist to Super Admin, each with granular permission checks. Admin actions are logged with full audit trails. Permission caches expire every 5 minutes.
Compliance
We are compliant with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023. All invoicing features support GST e-Invoice and GSTR-1 requirements. Data retention policies align with Indian tax regulations. We provide Data Processing Agreements (DPA) for enterprise customers.
Vulnerability Reporting
Found a security issue? Email [email protected] with details. We acknowledge within 24 hours, provide a fix timeline within 72 hours, and credit researchers who follow responsible disclosure. Do not test against production accounts without prior authorization.
Questions about our security practices?
Our team is happy to walk you through our security architecture and compliance documentation.