Security

We take security seriously. This page documents what we do to protect your data and how to report a vulnerability.

Data we store

• Your account email and display name (used for sign-in and outgoing emails).
• Backlink lists you upload (CSV) and audit results we produce.
• Monitoring schedules and the change log of every monitored link.
• Outreach drafts you create.
• Optional Google Search Console OAuth tokens (read-only scope), encrypted at rest.

We do not store credit card numbers - all billing data is handled by Stripe.

Encryption

• TLS 1.3 in transit for every connection.
• Database storage at rest is encrypted by our infrastructure provider (Supabase + cloud disk encryption).
• OAuth tokens for Google Search Console are stored in the encrypted database column.

Access control

• Row-level security in our database means users can only read rows tied to their own user ID.
• Admin access is restricted by an explicit role flag and reviewed manually.
• Service-role API keys are kept in a server-only environment and never reach the browser.

Authentication

We use email magic links (passwordless). No password to leak, lose, or reuse. Sessions are stored as HTTP-only secure cookies.

Responsible disclosure

If you have found a vulnerability, please email security@tracelinker.com with:

• A description of the issue and impact
• Steps to reproduce
• Your contact info so we can follow up

We commit to:

• Acknowledging receipt within 48 hours
• Providing an initial assessment within 5 business days
• Crediting you in our release notes (with permission) once the fix is deployed

Please do not publish the issue, exploit it beyond what is needed to demonstrate it, or access another user's data without consent.

Compliance

We are not yet SOC 2 or ISO 27001 certified. If your organization has compliance requirements, please reach out at hello@tracelinker.com and we will share what we can.