Back to Home

Security Practices

Last Updated: February 11, 2026

At PermitTracker, we take the security of your data seriously. This page describes the security measures we implement to protect your information.

Infrastructure Security

  • Cloud Hosting: The Service is hosted on industry-standard cloud infrastructure providers (Vercel and Supabase) that maintain robust physical and environmental security controls, including SOC 2 Type II certifications.
  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at Rest: Customer Content and database records are encrypted at rest using AES-256 or equivalent encryption, provided by our infrastructure providers.
  • Network Security: Our infrastructure providers implement network-level security controls, including firewalls, DDoS mitigation, and intrusion detection.

Application Security

  • Authentication: We use Supabase Auth with secure password hashing (bcrypt). Sessions are managed using secure, HTTP-only cookies.
  • Authorization: Role-based access controls (RBAC) ensure Users can only access data within their organization. Database-level Row Level Security (RLS) policies enforce multi-tenant data isolation.
  • Input Validation: All user inputs are validated server-side using schema validation to prevent injection attacks and malformed data.
  • Dependency Management: We regularly review and update application dependencies to address known vulnerabilities.

Data Protection

  • Data Isolation: Each Customer's data is logically isolated at the database level using Row Level Security policies. One Customer cannot access another Customer's data.
  • File Storage: Uploaded documents are stored in private storage buckets with signed URLs. Files are not publicly accessible.
  • Backups: Our database provider (Supabase) performs automated daily backups. Backup retention follows the provider's standard schedule.
  • Data Deletion: Upon account termination, Customer Content is deleted from active systems within 30 days of the export period expiration. Backup copies are purged within approximately 90 days.

AI Processing Security

  • Third-Party AI Provider: We use Anthropic's Claude API for document extraction. Document content is transmitted securely (TLS) and processed solely for the purpose of extracting structured data.
  • No Model Training: Customer Content is not used to train AI models. Our agreement with Anthropic prohibits the use of customer data for model training.
  • Data Minimization: We send only the document content necessary for extraction — not your full account data.

Operational Security

  • Access Controls: Access to production systems is restricted to essential personnel on a least-privilege basis.
  • Monitoring: We use application monitoring tools (e.g., Vercel Analytics, Sentry) to detect errors, anomalies, and potential security issues.
  • Incident Response: We maintain incident response procedures. In the event of a security incident involving unauthorized access to personal information, we will notify affected Customers without unreasonable delay and cooperate in notification obligations.

Responsible Disclosure

If you discover a security vulnerability in PermitTracker, please report it to us at security@permittracker.app. We appreciate responsible disclosure and will work with you to understand and address the issue promptly.

What We Do NOT Claim

  • We do not currently hold a SOC 2 certification or audit report. Our infrastructure providers (Supabase, Vercel, Stripe) maintain their own SOC 2 Type II certifications.
  • We do not guarantee that the Service is free from all security vulnerabilities.
  • We continuously evaluate our security posture and may pursue formal certifications as we grow.

Questions

If you have questions about our security practices, please contact us at security@permittracker.app.