Security
What we protect, how we protect it, and, honestly, what we don't have yet. Updated as the posture evolves.
Your Stripe secret key never sits in plaintext at rest. AES-256 envelope encryption with a per-deployment master key, TraceTxn operators can't read your Stripe key from the database, full stop.
Every state change on every order appends a SHA-256-linked event. The chain is append-only at the model layer, service-layer bugs can't silently rewrite history.
Every business-data row carries `orgId`. Lookup-by-id pins both `_id` AND `orgId` at the query layer, so a Tenant-A actor holding a guessed Tenant-B id gets a clean 404, not a real document.
Firebase Auth for sign-in (Google + email/password), short-lived signed JWT cookie for the session. Every protected route runs through a proxy that verifies the JWT signature, role, and org membership before the handler sees the request.
Stripe webhooks are verified against your per-org signing secret BEFORE the handler runs. Replays + double-deliveries dedupe against a durable `processed_webhook_events` collection, not the order doc.
Cloudflare Turnstile gates every public form (login, signup, quotation, contact). Rate-limits at the request layer protect the auth + payment-exchange endpoints from credential-stuffing.
What we don't have yet
Most startup security pages claim certifications they don't have. We'd rather just tell you.
We're early. We don't have a SOC 2 Type II report, and we won't claim we do. Compliance pursuit starts when we have the customer volume to justify the audit cost.
Today we run in one DigitalOcean region with daily Mongo Atlas snapshots. Multi-region failover is on the roadmap when paying tenant density crosses the threshold that justifies the operational overhead.
We've done internal threat modelling + code review. A formal third-party penetration test is scheduled before we open the Scale tier to enterprise customers.
TraceTxn is BYOS-Stripe, Stripe takes the card data, not us. We never see, store, or process card numbers. PCI scope sits with Stripe and your business directly, not TraceTxn.
Responsible disclosure
If you believe you've found a security vulnerability in TraceTxn, please email us before disclosing publicly. We acknowledge within 48 hours and ship the fix as soon as it's validated. We don't run a paid bug-bounty yet - public hall-of-fame credit is the recognition path today.
PGP key on request. Include reproduction steps, affected endpoint, and your preferred name for disclosure credit.
Open a workspace in 3 minutes
Connect your core stack, eliminate fragmented tracking gaps, and protect your merchant processing pipeline. No call required. No engineer required.