Security

The platform holds because we hold it

Spotrak hosts sensitive business data. We treat security as an engineering topic, not a marketing line.

Principles

Three commitments that drive every technical decision.

We only collect what the product needs. What doesn't exist can't leak.

Full export anytime, controlled hosting, no AI training on your customers.

Code review, automated scanners, yearly third-party audit. No vague promises, real controls.

Encryption
TLS 1.3 in transit, AES-256 at rest. Keys managed by the cloud provider's KMS, with automatic rotation.
Access
Fine-grained RBAC per clinic, full audit logging, MFA required for Spotrak staff.
Infrastructure
EU hosting, daily encrypted backups with 30-day retention, tested disaster recovery plan.
Monitoring
24/7 alerts on incidents and anomalies, queryable audit log, customer notification within 72h in case of incident.
Data
Strict subcontracting controls, DPAs available, logical data isolation per clinic.
Code
Mandatory review, SAST/DAST scanners, automated dependency updates, no plaintext secrets.

Aligned with applicable frameworks, not just a footer sticker.

GDPR — Spotrak acts as a data processor, DPA provided at signing.
Law 09-08 (Morocco) — CNDP declaration in progress.
ISO 27001 — commitment to align our controls with the framework's best practices.

We welcome vulnerability reports with seriousness and gratitude. Email security@spotrak.com with technical details. Reply within 48 hours.