Back to Home

Security & Data Protection

Last Updated: November 23, 2025

Your data security and privacy are our top priorities. This page explains the comprehensive security measures we implement to protect your information.

Data Encryption

Encryption in Transit

  • TLS 1.3 Encryption: All data transmitted between your browser and our servers is encrypted using industry-standard TLS 1.3 protocol
  • HTTPS Only: Our entire application runs over HTTPS with strict transport security (HSTS) enabled
  • API Security: All API requests to third-party services (Anthropic Claude) use encrypted connections

Encryption at Rest

  • Database Encryption: Your accomplishment data is encrypted at rest using AES-256 encryption
  • Backup Encryption: All database backups are encrypted before storage
  • Secure Storage: Files and attachments are encrypted and stored in isolated, secure storage

Authentication & Access Control

Password Security

  • Bcrypt hashing with salt (12 rounds)
  • Passwords never stored in plain text
  • Minimum password strength required
  • Rate limiting on login attempts

Session Management

  • Secure, HTTP-only session cookies
  • Automatic session expiration
  • CSRF token protection
  • Device fingerprinting

OAuth2 Integration

When signing in with Google, we use industry-standard OAuth2 protocol. We never receive or store your Google password. Only essential profile information (name, email, photo) is accessed with your explicit permission.

Infrastructure Security

  • Trusted Hosting

    Hosted on Vercel's secure infrastructure with enterprise-grade reliability and 99.99% uptime SLA

  • DDoS Protection

    Built-in protection against distributed denial-of-service attacks and malicious traffic

  • Isolated Database

    PostgreSQL database runs in isolated environment with firewall rules restricting unauthorized access

  • Automated Backups

    Daily encrypted backups with point-in-time recovery capability for disaster recovery

Privacy by Design

Data Minimization

We only collect data necessary to provide the service. No tracking of browsing behavior outside our application.

Private by Default

All accomplishments are private to you. We never share your data with third parties for marketing purposes.

No AI Training

Your data is never used to train AI models. Anthropic has confirmed they don't use API data for training.

User Control

Full control over your data. Export, delete, or modify your information at any time.

Application Security

  • Input Validation: All user input is validated and sanitized to prevent injection attacks
  • XSS Protection: Content Security Policy (CSP) headers prevent cross-site scripting attacks
  • SQL Injection Prevention: Parameterized queries through Prisma ORM
  • Rate Limiting: API endpoints are rate-limited to prevent abuse and brute-force attacks
  • Dependency Scanning: Automated scans for vulnerable dependencies with timely updates

Ongoing Security Practices

Security Monitoring

24/7 automated monitoring for suspicious activity, unauthorized access attempts, and security anomalies

Regular Updates

All software dependencies and frameworks are kept up-to-date with latest security patches

Security Audits

Regular security reviews and penetration testing to identify and address vulnerabilities

Incident Response

Documented incident response plan to quickly address any security concerns

Your Security Responsibilities

While we implement robust security measures, you play a crucial role in protecting your account:

  • Use a strong, unique password (at least 12 characters with mixed case, numbers, symbols)
  • Never share your password or session cookies
  • Log out from shared or public computers
  • Be cautious of phishing emails claiming to be from ValueTracker
  • Report suspicious activity immediately
  • Keep your device and browser updated

Compliance & Certifications

GDPR

Compliant

SOC 2

Type II (Infrastructure)

ISO 27001

Hosting Provider

Report a Security Issue

We take security reports seriously. If you discover a security vulnerability, please report it responsibly:

Security Email: security@valuetracker.app

PGP Key: Available upon request

Please do not publicly disclose the issue until we've had a chance to address it. We aim to respond within 48 hours.

Summary

Security is not just a feature—it's foundational to everything we do. Your professional accomplishments are sensitive data, and we treat them with the highest level of protection.

Questions about our security practices? Contact us at security@valuetracker.app