Skip to main content

Security Statement

Last Updated: February 15, 2026

At Tractic, security is our highest priority. We handle sensitive financial data (bank transactions, property values, personal information) and implement industry-leading security practices to protect your information.

1. Data Encryption

1.1 Encryption at Rest

All sensitive data stored in our database is encrypted using AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode), a military-grade encryption algorithm. Specifically:

  • Plaid Access Tokens: Encrypted with unique initialization vectors (IVs) and authentication tags
  • Financial Amounts: Property values, mortgage balances, and transaction amounts are encrypted
  • Encryption Keys: Stored securely in environment variables, never in source code or database

Technical Details: We use a 256-bit encryption key with randomly generated 16-byte IVs per encryption. Each encrypted value includes an authentication tag to ensure data integrity and prevent tampering.

1.2 Encryption in Transit

All data transmitted between your browser and our servers is protected using:

  • TLS 1.3 (HTTPS): The latest Transport Layer Security protocol
  • Perfect Forward Secrecy: Ensures past sessions remain secure even if keys are compromised
  • HSTS (HTTP Strict Transport Security): Forces all connections to use HTTPS

2. Authentication & Access Control

2.1 User Authentication

  • Google OAuth 2.0: Industry-standard authentication protocol. We NEVER store your Google password.
  • Session Management: Secure session cookies with HttpOnly and SameSite flags to prevent XSS and CSRF attacks
  • Session Expiration: Sessions automatically expire after 7 days of inactivity
  • Device Tracking: Monitor login locations and devices for suspicious activity

2.2 Database Access Control

We implement Row Level Security (RLS) in our Supabase PostgreSQL database:

  • Users can ONLY access their own data (properties, transactions, contacts)
  • Database queries are automatically filtered by user ID
  • Even if our application code is compromised, users cannot access each other's data

2.3 API Authentication

  • Middleware Protection: All API routes require valid authentication
  • No Public Endpoints: Sensitive data is never exposed without authentication
  • Rate Limiting: Prevents brute-force attacks and API abuse (future enhancement)

3. Third-Party Integrations

3.1 Plaid (Bank Connections)

Plaid is a trusted financial services API used by Venmo, Robinhood, and thousands of financial apps.

  • Bank Login Credentials: NEVER shared with us. Plaid uses OAuth to securely connect to your bank.
  • Read-Only Access: We can ONLY read transaction data. We CANNOT move money or make transfers.
  • Encrypted Tokens: Plaid access tokens are encrypted with AES-256-GCM before storage
  • Webhook Verification: All Plaid webhooks are verified with HMAC signatures (future enhancement)
  • Security Certifications: Plaid is SOC 2 Type II certified and complies with banking regulations

Learn more: Plaid Security Overview

3.2 Stripe (Payments)

  • PCI DSS Level 1 Compliant: The highest level of payment security certification
  • Card Data: NEVER touches our servers. Stripe handles all card processing.
  • Webhook Verification: All Stripe webhooks are verified with cryptographic signatures
  • What We Store: Only Stripe Customer IDs and Subscription IDs (no card numbers)

Learn more: Stripe Security

3.3 AI Services (OpenAI, Google Gemini)

AI-powered property intelligence reports are generated using:

  • OpenAI GPT-4: Property analysis and market insights
  • Google Gemini AI: Investment opportunity detection
  • AWS Bedrock: AI agent orchestration

Important: When you generate an AI report, property data (address, financials) is sent to these AI services. Data is processed securely but is subject to each provider's terms of service. AI providers do NOT use your data to train public models.

4. Infrastructure Security

4.1 Hosting & Deployment

  • Vercel: Enterprise-grade hosting with automatic HTTPS, DDoS protection, and global CDN
  • Supabase: Fully managed PostgreSQL with automatic backups and disaster recovery
  • Geographic Redundancy: Data is replicated across multiple availability zones
  • Automatic Backups: Daily database backups retained for 30 days

4.2 Content Security Policy (CSP)

We implement strict Content Security Policy headers to prevent XSS attacks:

  • Scripts can only load from trusted sources (Plaid, Google, our own domain)
  • Inline JavaScript execution is restricted
  • Frames can only be embedded from authorized domains

4.3 Security Headers

We set the following HTTP security headers on all responses:

  • Content-Security-Policy
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Strict-Transport-Security (HSTS)
  • Permissions-Policy (disables unnecessary browser features)

5. Application Security

5.1 Input Validation

  • SQL Injection Prevention: All database queries use parameterized statements (no raw SQL)
  • XSS Prevention: User input is sanitized and escaped before rendering
  • CSRF Protection: State-changing requests require valid session tokens

5.2 Dependency Management

  • Automated Scans: npm audit runs on every deployment to detect vulnerabilities
  • Regular Updates: Dependencies are updated monthly with security patches
  • Latest Versions: We use the latest stable versions of Next.js, React, and security libraries

5.3 Code Security

  • No Hardcoded Secrets: All API keys and secrets are stored in encrypted environment variables
  • Secure Coding Practices: Code reviews and security audits before deployment
  • Error Handling: Error messages do not expose sensitive system information

6. Data Protection Practices

6.1 Data Minimization

We only collect data necessary to provide the Service:

  • We do NOT collect browsing history, location data, or device fingerprints
  • We do NOT sell or share your data with third parties for marketing
  • Optional fields (phone number, custom property notes) are truly optional

6.2 Data Retention

  • Active Accounts: Data retained while your account is active
  • Deleted Accounts: Data deleted within 30 days of account deletion request
  • Backups: Deleted data purged from backups within 90 days
  • Tax Records: Transaction history retained for 7 years per IRS requirements (unless you request deletion)

6.3 Employee Access

  • Employees have NO access to user data by default
  • Support access is granted only when you request help (with your permission)
  • All access is logged and audited
  • Employees sign confidentiality agreements

7. Incident Response

In the event of a security breach or data incident:

  1. Detection: Automated monitoring detects anomalies 24/7
  2. Containment: Affected systems are isolated within minutes
  3. Investigation: Security team determines scope and impact
  4. Notification: Affected users are notified within 72 hours (GDPR requirement)
  5. Remediation: Vulnerabilities are patched and security measures enhanced
  6. Reporting: Incidents reported to authorities as required by law

Contact for Security Issues: If you discover a security vulnerability, please report it to security@tractic.io. We take all reports seriously and will respond within 48 hours.

8. Compliance & Certifications

8.1 Regulatory Compliance

  • GDPR (General Data Protection Regulation): Compliant with EU privacy laws
  • CCPA (California Consumer Privacy Act): Compliant with California privacy laws
  • SOC 2 Type II: Supabase and Plaid are certified (we inherit their certifications)

8.2 Regular Audits

  • Security Audits: Quarterly internal security reviews
  • Penetration Testing: Annual third-party penetration tests
  • Vulnerability Scans: Automated scans on every code deployment

9. Your Responsibilities

Security is a shared responsibility. To protect your account:

  • Use a Strong Google Password: Enable 2FA on your Google account
  • Log Out on Shared Devices: Always log out when using public computers
  • Keep Software Updated: Use the latest browser version and OS security patches
  • Beware of Phishing: Tractic will NEVER ask for your password via email
  • Report Suspicious Activity: Contact us immediately if you notice unauthorized access

10. Continuous Improvement

Security is an ongoing process. We continuously enhance our security posture through:

  • Monitoring the latest security threats and vulnerabilities
  • Updating dependencies and infrastructure regularly
  • Training our team on secure coding practices
  • Implementing industry best practices and frameworks
  • Engaging with the security community for feedback

11. Contact Information

For security-related questions or to report a vulnerability:

Last Reviewed: This Security Statement is based on the actual security practices implemented in Tractic as of February 15, 2026. We conduct regular security audits and update this statement as practices evolve. Please check back periodically for updates.