This page describes the security measures built into Tracore. We focus on concrete, verifiable practices rather than claims we cannot back up. We hold no formal security certifications at this stage and do not claim any.
Authentication
User accounts are managed by an established authentication library. Passwords are
hashed before storage; we never store them in plain text. Sessions use cookies
that are httpOnly and set with SameSite=Lax to reduce exposure to
cross-site attacks.
API keys
API access uses keys issued through our authentication layer. Keys are hashed at
rest, carry a dsk_ prefix for easy identification, and can be revoked from your
settings at any time. Treat your API keys as secrets and rotate them if you
suspect exposure.
Data at rest
- Documents are stored in object storage hosted in the European Union.
- Provider keys that you connect (BYOK) are encrypted with AES-256-GCM before storage.
- Database backups are managed through our hosting provider.
Data in transit
All traffic to Tracore is encrypted in transit using TLS 1.2 or higher. We use Cloudflare in Full (strict) SSL mode so connections are encrypted end to end.
Tenant isolation
Tracore is multi-tenant. Access to your data is scoped by workspace ownership checks, and a per-request context layer enforces that scope on every API call, so one tenant cannot reach another tenant’s data.
Payment security
Payments are handled through our payment processor’s hosted checkout. Card data is entered directly with the processor and does not pass through or get stored on our systems, which keeps our PCI scope to a minimum.
Vulnerability disclosure
We publish a security contact at /.well-known/security.txt. If you believe you have found a security issue, please report it to security@tracore.io. We do not run a paid bug bounty program yet — this is something we plan to add.
Incident response
If a personal data breach occurs that is likely to affect your rights, we aim to notify affected users and the relevant authority within 72 hours, in line with the GDPR.