Security

How we handle your data.

Intertrak stores inspection data, customer contact information, and photos on behalf of service shops and inspectors. This page describes the controls we have in place today — and where we're still building.

Encryption

  • In transit. All traffic to intertrak.app, portal.intertrak.app, inspect.intertrak.app, and our API endpoints is encrypted via TLS 1.2 or higher, enforced at the edge.
  • At rest. Customer data is stored in PostgreSQL with AES-256 encryption at rest. Inspection photos are held in encrypted object storage.

Infrastructure

  • Hosting. Marketing and portal applications are deployed on Cloudflare Pages with edge-level DDoS protection and WAF rules.
  • Database & Auth. Supabase (PostgreSQL + GoTrue) hosted on AWS infrastructure. Passwords are hashed with bcrypt; sessions use signed JWTs with short expirations.
  • Backups. Daily encrypted database backups, retained 7 days. Point-in-time recovery available.

Sub-processors

The third-party services that touch Intertrak data:

  • Supabase — database, auth, and file storage.
  • Cloudflare — hosting, CDN, DNS, and DDoS protection.
  • Stripe — payment processing (PCI DSS Level 1 certified). Intertrak never stores card data.
  • OpenAI — AI-assisted features (description rewrites, advisor coaching, template OCR). Data submitted via the API is not used for model training per OpenAI's API terms.
  • Twilio — outbound customer SMS. Enabled for accounts on the branding and communications upgrade. Messages contain inspection links and the customer's first name.

Your data is yours

  • Ownership. All inspection data, photos, and customer records you create remain your property. Intertrak holds the data on your behalf as your processor.
  • Export. You can export your inspection data at any time. Custom export and integration work is available for larger teams on request.
  • Deletion. Request account closure at any time. Data is retained for 30 days after closure for recovery, then permanently deleted from production systems.

SOC 2 status

Intertrak has not yet completed a SOC 2 audit. We follow security practices aligned with SOC 2 Trust Services Criteria — encryption, access controls, backups, and incident response — but the formal third-party audit is not yet in progress. Enterprise customers requiring SOC 2 evidence on a specific timeline should reach out so we can discuss scope and timing.

Reporting a security issue

Found a vulnerability? Email hello@intertrak.app with reproduction details. We acknowledge reports within 2 business days and work in good faith with researchers acting in good faith.