Security

Your data is safe
with Simpletrak.

We've built security into every layer of the platform — from authentication and encryption, to the infrastructure your data runs on. Here's exactly how.

SOC 2 Type II
ISO 27001
AES-256 Encryption
99.99% Uptime SLA
AES-256
Encryption at rest & in transit
99.99%
Uptime SLA — DigitalOcean
Daily
Automated backups with redundancy
Zero
Permanent data deletion — full audit trail
Platform security
Built secure from the ground up
Every layer of Simpletrak is engineered with security as a default — not an afterthought.
Authentication & Access Control
How we verify identity and control access
Two-factor authentication (2FA) — email-based with time-limited codes that expire after 10 minutes
API token authentication — Laravel Sanctum bearer tokens, revocable per device
Role-based access control (RBAC) — granular permissions per user and role via Spatie
License enforcement — middleware-level licence validation on every request
Password security — Bcrypt hashing (10 rounds) with configurable reset throttling
Re-authentication — required for sensitive operations, with a 3-hour session timeout
Encryption & Data Protection
How your data is protected at rest and in transit
AES-256-CBC encryption for all data at rest
SSL/TLS database connections supported and enabled by default
Encrypted cookies — HTTP-only and SameSite flags prevent XSS-based session theft
Sensitive data excluded from session flashing — passwords and PII never stored in flash data
PII protection in error reporting — sensitive data automatically redacted from Sentry by default
SQL query bindings redacted in all error tracking outputs
API & Application Security
How we protect against attacks and abuse
CSRF protection on all state-changing requests
Rate limiting — 60 requests per minute per user/IP to prevent abuse
Server-side input validation on all endpoints — field type, length, format, and foreign key existence
SQL injection prevention — Eloquent ORM and query builder use PDO parameter binding by default
XSS protection — Blade templating engine auto-escapes all output by default
Mass assignment protection — all models require explicit field declarations to prevent unauthorised modification
Configurable CORS policy — allowed origins controlled at application level
Audit & Monitoring
How we track activity and detect issues
Comprehensive activity logging — every data mutation tracked with user attribution, timestamps, module, and description
Soft deletes — records are never permanently destroyed, enabling full audit trail and data recovery
Real-time error monitoring — Sentry integration with performance tracking and automatic alerts
Deployment audit trail — full history of who deployed what and when
Built on Laravel — actively maintained and security-patched
Simpletrak is built on Laravel, which receives active security updates under the framework's LTS policy. This means any vulnerability identified in the framework is patched and deployed to our platform automatically — including host header injection prevention, secure headers (X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security), signed URLs, request sanitization, and environment isolation. Sensitive configuration is stored in environment files and never committed to source control.
Infrastructure
Enterprise-grade infrastructure, independently certified
Simpletrak runs on DigitalOcean, managed by Laravel Forge — with backups stored redundantly across multiple locations.
DigitalOcean
SOC 2 Type II & ISO 27001 certified cloud infrastructure
SOC 2 Type II & SOC 3 independently audited
ISO 27001 certified
DDoS mitigation & private VPC networking
AES-256 encryption on all block storage and Spaces
KVM hypervisors with strict tenant isolation
Biometric data centre access & 24/7 surveillance
99.99% uptime SLA — redundant power, cooling & networking
Data residency options — US, EU, and Asia-Pacific regions
Laravel Forge
Hardened server management and zero-downtime deployment
Automated SSL/TLS certificates via Let's Encrypt — auto-renewed
SSH key-only access — password SSH disabled by default
UFW firewall — only ports 22, 80, and 443 exposed
Zero-downtime atomic deployments
Automated OS-level security patches applied unattended
Isolated site environments — each app runs under its own Linux user
Encrypted environment variable storage — never exposed in deployment scripts
Daemon monitoring — automatic restart of failed services
Storage & Backups
Redundant, encrypted storage across multiple locations
Daily automated backups — stored in multiple local and cloud locations
AWS S3-compatible storage via DigitalOcean Spaces with access control
Point-in-time recovery for managed databases
MySQL 8.0 — health-checked, volume-persisted, utf8mb4 charset
Redis encrypted caching layer
Docker containerized environment with isolated services
Private VPC networking — internal services not exposed to public internet
Certifications & compliance
Independently audited and verified
Our infrastructure partner DigitalOcean holds the following independent certifications — so you can be confident the platform your data runs on has been rigorously assessed.
SOC 2 Type II
Independently audited security, availability, and confidentiality controls
SOC 3
Publicly available audit report on infrastructure security controls
ISO 27001
International standard for information security management systems
GDPR Ready
Data residency options in EU regions with GDPR-aligned data handling
Found a security issue?
We take every security report seriously. If you've discovered a potential vulnerability in Simpletrak, please let us know via our contact form. We'll acknowledge your report within 1 business day and work to resolve confirmed issues as quickly as possible. We ask that you give us reasonable time to investigate before any public disclosure.
Report a vulnerability