Security

At PerfTrack, security is not an afterthought. it's built into how we design and operate the platform. Here's what we do to keep your data safe.

Data Encryption

• In transit: All data between your browser and our servers is encrypted using TLS 1.2+ (HTTPS). Your browser will show a padlock icon confirming this.
• At rest: Sensitive data including passwords are hashed using bcrypt before storage. We never store plaintext passwords.
• Payment data: We never store credit or debit card numbers. All payment processing is handled by Flutterwave, a PCI DSS-compliant payment provider.

Authentication

• Session tokens are signed with a secure JWT secret and expire after 7 days
• HTTP-only cookies prevent JavaScript access to session tokens
• All API endpoints require valid authentication
• Organisation data is strictly isolated. users can only access data belonging to their organisation

Infrastructure

• Hosted on Render. a SOC 2 Type II certified cloud platform
• PostgreSQL database with automated daily backups
• Automatic SSL certificate management via Let's Encrypt
• Regular dependency updates to patch known vulnerabilities

Access Controls

• Role-based access: Admin, Manager, and Employee roles with different permission levels
• Admins can view and manage all data within their organisation
• Employees can only access their own data and what's explicitly shared with them
• No cross-organisation data access is possible

Reporting a Vulnerability

If you discover a security vulnerability in PerfTrack, please report it responsibly by emailing support@perftrackapp.com with the subject line "Security Vulnerability". We will acknowledge your report within 48 hours and work to resolve confirmed issues promptly.

Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

Contact

For security-related questions, contact us at support@perftrackapp.com.