Skip to main contentSkip to main content

Security Statement

Last Updated: June 26, 2026

Tractic handles sensitive financial data including bank transactions, property values, documents, and personal information. This statement describes the security controls currently implemented in the product and identifies roadmap items separately.

1. Data Encryption

1.1 Encryption at Rest

Sensitive data stored in our database is encrypted using AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode), an authenticated encryption algorithm. Specifically:

  • Plaid Access Tokens: Encrypted with unique initialization vectors (IVs) and authentication tags
  • Financial Amounts: Property values, mortgage balances, and transaction amounts are encrypted
  • Encryption Keys: Stored securely in environment variables, never in source code or database

Technical Details: We use a 256-bit encryption key with randomly generated 16-byte IVs per encryption. Each encrypted value includes an authentication tag to ensure data integrity and prevent tampering.

1.2 Encryption in Transit

All data transmitted between your browser and our servers is protected using:

  • TLS 1.3 (HTTPS): The latest Transport Layer Security protocol
  • Perfect Forward Secrecy: Ensures past sessions remain secure even if keys are compromised
  • HSTS (HTTP Strict Transport Security): Forces all connections to use HTTPS

2. Authentication & Access Control

2.1 User Authentication

  • Google OAuth 2.0: Industry-standard authentication protocol. We NEVER store your Google password.
  • Session Management: Secure session cookies with HttpOnly and SameSite flags to prevent XSS and CSRF attacks
  • Session Expiration: Sessions automatically expire after 7 days of inactivity
  • Device Tracking: Monitor login locations and devices for suspicious activity

2.2 Database Access Control

We implement Row Level Security (RLS) in our Supabase PostgreSQL database:

  • Users can ONLY access their own data (properties, transactions, contacts)
  • Database queries are automatically filtered by user ID
  • Even if our application code is compromised, users cannot access each other's data

2.3 API Authentication

  • Middleware Protection: Sensitive API routes require valid authentication
  • No Public Sensitive Data: User financial data is never exposed without authentication
  • Rate Limiting: Implemented on sensitive and AI endpoints to reduce brute-force attacks and API abuse

3. Third-Party Integrations

3.1 Plaid (Bank Connections)

Plaid is a trusted financial services API used by Venmo, Robinhood, and thousands of financial apps.

  • Bank Login Credentials: NEVER shared with us. Plaid uses OAuth to securely connect to your bank.
  • Read-Only Access: We can ONLY read transaction data. We CANNOT move money or make transfers.
  • Encrypted Tokens: Plaid access tokens are encrypted with AES-256-GCM before storage
  • Webhook Verification: Plaid webhook requests are verified before processing
  • Security Certifications: Plaid is SOC 2 Type II certified and complies with banking regulations

Learn more: Plaid Security Overview

3.2 Stripe (Payments)

  • PCI DSS Level 1 Compliant: The highest level of payment security certification
  • Card Data: NEVER touches our servers. Stripe handles all card processing.
  • Webhook Verification: All Stripe webhooks are verified with cryptographic signatures
  • What We Store: Only Stripe Customer IDs and Subscription IDs (no card numbers)

Learn more: Stripe Security

3.3 AI Services

Product AI features are generated primarily using:

  • Anthropic Claude: Product AI for reports, extraction, and Coach Cashew responses
  • Google Gemini and OpenAI: Used for admin marketing/content tooling, not as the primary user financial-data path

Important:When you generate an AI report, property data (address, financials) is sent to the applicable product AI provider. Data is processed securely but is subject to each provider's terms of service. Product AI providers do NOT use your data to train public models.

3.4 Subprocessors

Tractic uses subprocessors to provide hosting, storage, payments, bank connectivity, communications, analytics, document ingestion, and property-data enrichment. Key subprocessors include:

  • Core infrastructure: Supabase, Vercel, Upstash, GitHub
  • Financial and billing: Plaid for read-only bank connectivity; Stripe for subscription billing
  • Product AI: Anthropic Claude
  • Communications: Resend, Telnyx, and browser push services
  • Document ingestion and sync: Google Workspace APIs, including Gmail statement ingestion and Google Drive; Microsoft Graph / OneDrive
  • Analytics and observability: PostHog
  • External property data APIs: RentCast, Inflecto, and Google Maps Geocoding

Document-ingestion sensitivity: Gmail, Google Drive, and OneDrive integrations may receive user financial documents such as owner statements, leases, closing disclosures, invoices, and property records when users connect or forward documents for processing.

4. Infrastructure Security

4.1 Hosting & Deployment

  • Vercel: Enterprise-grade hosting with automatic HTTPS, DDoS protection, and global CDN
  • Supabase: Fully managed PostgreSQL with automatic backups and disaster recovery
  • Geographic Redundancy: Data is replicated across multiple availability zones
  • Automatic Backups: Daily database backups retained for 30 days

4.2 Content Security Policy (CSP)

We implement strict Content Security Policy headers to prevent XSS attacks:

  • Scripts can only load from trusted sources (Plaid, Google, our own domain)
  • Inline JavaScript execution is restricted
  • Frames can only be embedded from authorized domains

4.3 Security Headers

We set the following HTTP security headers on all responses:

  • Content-Security-Policy
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Strict-Transport-Security (HSTS)
  • Permissions-Policy (disables unnecessary browser features)

5. Application Security

5.1 Input Validation

  • SQL Injection Prevention: All database queries use parameterized statements (no raw SQL)
  • XSS Prevention: User input is sanitized and escaped before rendering
  • CSRF Protection: State-changing requests require valid session tokens

5.2 Dependency Management

  • Automated Alerts: Dependency and secret-scanning tooling is used to detect known vulnerabilities and committed secrets
  • Regular Updates: Dependencies are updated as security patches and product priorities require
  • Latest Versions: We use the latest stable versions of Next.js, React, and security libraries

5.3 Code Security

  • No Hardcoded Secrets: API keys and secrets are stored in managed environment configuration, not source code
  • Secure Coding Practices: Code review and automated checks are part of the deployment workflow
  • Error Handling: Error messages do not expose sensitive system information

6. Data Protection Practices

6.1 Data Minimization

We only collect data necessary to provide the Service:

  • We do NOT collect browsing history, location data, or device fingerprints
  • We do NOT sell or share your data with third parties for marketing
  • Optional fields (phone number, custom property notes) are truly optional

6.2 Data Retention

  • Active Accounts: Data retained while your account is active
  • Deleted Accounts: Data deleted within 30 days of account deletion request
  • Backups: Deleted data purged from backups within 90 days
  • Tax Records: Transaction history retained for 7 years per IRS requirements (unless you request deletion)

6.3 Employee Access

  • Employees have NO access to user data by default
  • Support access is granted only when you request help (with your permission)
  • All access is logged and audited
  • Employees sign confidentiality agreements

7. Incident Response

Tractic maintains a pragmatic incident-response posture appropriate for the current team and product stage:

  1. Detection: Platform monitoring, product/error observability, dependency alerts, and vulnerability reports help identify issues
  2. Containment: We prioritize limiting access, rotating secrets, disabling affected integrations, and preserving evidence as needed
  3. Investigation: We determine scope, affected data, root cause, and required remediation
  4. Notification: We notify affected users and authorities as required by applicable law and contractual obligations
  5. Remediation: Vulnerabilities are patched and security measures enhanced
  6. Roadmap: Formal 24/7 security operations coverage and contractual breach-notification SLAs are planned for later enterprise-readiness work

Contact for Security Issues: If you discover a security vulnerability, please report it to security@tractic.io. We take all reports seriously and will respond within 48 hours.

8. Compliance & Certifications

8.1 Regulatory Compliance

  • GDPR (General Data Protection Regulation): Designed to align with core GDPR data-protection principles; a formal compliance program is on the roadmap
  • CCPA (California Consumer Privacy Act): Designed to align with core CCPA privacy principles; a formal compliance program is on the roadmap
  • SOC 2: Tractic is not yet SOC 2 audited. We run on SOC 2 Type II-certified infrastructure and processors, including providers such as Supabase, Vercel, Plaid, and Stripe. A Tractic SOC 2 audit is a roadmap item for enterprise demand.

8.2 Security Review Roadmap

  • Internal Reviews: Formal access-review and security-review cadence is planned as the team scales
  • Penetration Testing: Independent third-party penetration testing is planned when enterprise demand warrants it
  • Vulnerability Management: Dependency alerts, secret scanning, code review, and platform monitoring are used today; formalized recurring reporting is on the roadmap

9. Your Responsibilities

Security is a shared responsibility. To protect your account:

  • Use a Strong Google Password: Enable 2FA on your Google account
  • Log Out on Shared Devices: Always log out when using public computers
  • Keep Software Updated: Use the latest browser version and OS security patches
  • Beware of Phishing: Tractic will NEVER ask for your password via email
  • Report Suspicious Activity: Contact us immediately if you notice unauthorized access

10. Continuous Improvement

Security is an ongoing process. We continuously enhance our security posture through:

  • Monitoring the latest security threats and vulnerabilities
  • Updating dependencies and infrastructure regularly
  • Training our team on secure coding practices
  • Implementing industry best practices and frameworks
  • Engaging with the security community for feedback

11. Contact Information

For security-related questions or to report a vulnerability:

Last Reviewed: This Security Statement is based on the security practices implemented in Tractic as of June 26, 2026. Forward-looking items are labeled as roadmap items. Please check back periodically for updates.