Workforce Data Security by Design

At uTRAC, we understand that trust and data security is essential to the services that our customers provide. That's why we are committed to maintaining the highest of security standards for our software and our service.

As a centralized workforce management solution, uTRAC decreases the need for disparate systems giving businesses one solution for securely hosting and managing employee data. Our protection framework backed by industry recognised accreditation gives our customiers peace of mind that their company data is secure and that they have the control they need for managing sensitive data adequately.

SOC 2 Certified

uTRAC is committed to maintaining SOC 2 certification in accordance with the American Institute of Certified Public Accountants (AICPA). uTRAC is audited independently by by Prescient Assurance, a leader in security and compliance attestation for B2B, SAAS companies worldwide.

SOC 2 Logo
SOC 2 Audited by Precient Assurance

uTRAC As Data Controllers

For businesses that subscribe to use uTRAC for the provision of our Workforce Management or Applicant Management solutions, we are your data controllers. From the moment customer data is captured, we adhere to the strictest management of that data. In running our business, we utilize some 3rd party data processors (CRM's and Business Analytical tools) but only for the management of customer's business and contact information and never for processing our customer's employee data. All 3rd party data processors adhere to uTRAC's strict internal privacy policies which are guided by regulations and industry standards.

All customers can be provided with all held data and that data can be deleted upon 'right to be forgotten' requests where there is no legitimate requirement for us to hold that data.

Payment Processing

uTRAC does not hold any credit/debit card details used for processing online subscription payments. These payments are processed through Stripe.

uTRAC & Your Employee Data

Businesses looking to utilize uTRAC as a processor of their employee data can rest easy that the uTRAC cloud infrastructure and security team is dedicated to the protection of that data. Keeping our customer’s data is the most important aspect of what we do and uTRAC’s security is fundamental to our business.

Please review our Terms of Service for more information about uTRAC’s Data Security Policies.

Where Is Your Data Hosted?

All data uploaded to uTRAC is hosted by Digital Ocean cloud hosting with our platform running from 3 facilities.

London, UK

uTRAC customers based in the United Kingdom have their data hosted in Digital Ocean servers located in their London data centre.

Amsterdam, Netherlands

uTRAC customers based in the European Union have their data hosted in Digital Ocean servers located in their Amsterdam data centre.

New York, USA

uTRAC customers based anywhere else in the world have their data hosted in Digital Ocean servers located in their New York data centre.

How Accessible Is Your Data?

uTRAC data is hosted in the cloud, allowing businesses to access relevant data on any device anywhere in the world where there is internet. As with all web-based technology, uTRAC cannot guarantee 100% availability however uTRAC has a total uptime of 99.9% (based on the last 365 days) and service availability can be reviewed via

uTRAC has a total uptime of 99.9%


uTRAC has implemented several systems and processes to ensure consistent service levels so that our clients can access their employee data when required. Our business is proud and committed to maintaining our 99.9% uptime status and rely upon formal response plans designed to mitigate risks and ensure quick recovery times.


Customer data is backed up every 4 hours while uTRAC runs parallel servers in the event of primary server failure.


Scripted monitors check memory levels and server heartbeats with automated alerting and corrective procedures.


uTRAC relies on automated rollout and rollback processes to safely update our various platforms efficiently.

In the rare occurrence of an incident, uTRAC will endeavour to communicate the current resolution status to our customers via All Incidents are followed by formal postmortems by our security team resulting in analysis and corrective actions.

Who Can Access Your Data?

The uTRAC platform is designed so that the controllers of our hosted data (our customers) are enabled to control levels of access and monitor changes to that data. Similarly, access may be given to employees to view and edit their related personal and sensitive data.

Our customers are responsible for the data they upload to uTRAC and that data is not shared to third parties. In the event of service suspension, uTRAC customers may export all data and expunge that data from uTRAC servers.

uTRAC Support

As part of our service, uTRAC support agents are available to users of uTRAC to assist with the use and operation of the uTRAC platform. All support agents are trained in data security and uTRAC management enforces strict data management policies to ensure personal data remains secured from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording and destruction.


Only authorized customer account managers may access customer data and only after receiving verifiable permission from the customer. Access to customer data is logged in our Access Records and mapped against customer requests for internal auditing.


Customer data may not be accessed from outside of terminals owned by uTRAC and monitored by authorized security personnel.


Compliance is enforced throughout the uTRAC business via periodic video monitoring, analytical tools, internal and external auditing, and feedback from customers. Non-compliance with uTRAC’s security policies will result in disciplinary actions up to and including termination of employment.

How Secure Is Your Data?

As well as implementing strict policies for internally maintaining the integrity of customer data, uTRAC employs a variety of methods to maintain security from external actors.

Application Security

  • All data transmitted to/from uTRAC is encrypted using 256b enterprise level SSL encryption.
  • Data to uTRAC applications are transmitted via API that require identification and authentication for any request from client side.
  • uTRAC enforces input validations to prevent actions such as SQL injection, scripted DDOS attacks, and cross-site scripting.
  • Sensitive data at rest is encrypted asynchronously where required and via pseudonymisation.
  • Each time uTRAC is accessed by an authorized user, the session variables are saved in secure path in the server to avoid session hijacking or session replay, all session has a unique session id to avoid "man in the middle" attacks.
  • System vulnerability scanners, otherwise known as penetration testing tools, used to automate security testing of code changes.
  • Strict permission controls that automatically refresh to prevent unauthorized changes to files located in our servers.

Infrastructure Security

  • All production instances are hosted within secured virtual-private-servers (VPS) supported by Digital Ocean and AWS.
  • uTRAC does not run individual hosting environments for each customer, we do utilize rigorous policy enforcement and testing to ensure customers cannot access each other’s data.

Database Security

  • Access to uTRAC databases is limited using SSH tunnel and all access requires password authentication that is strictly controlled and monitored to prevent unprotected access.
  • Sensitive data held in the database is encrypted.
  • Unauthorized access to administration interfaces is banned, no unauthorized access to configuration stores, only root can perform retrieval of clear text configuration data.
  • Database and files timely backed up every 4 hours. Use of tri-layer backup protocols,including physical backup, for data security and recovery.


The GDPR is part of the EU Data Protection Regulation aiming to standardize and strengthen the rights of European citizens to data privacy. From May 25 2018, every organization holding data of any EU citizen will be obliged to meet new standards of transparency, security and accountability.

We recommend that all clients familiarize themselves with GDPR Legislation and its definition of Personal Data and ensure that they have implemented the requisite steps in ensuring that their internal data policies are compliant.

Are You GDPR Ready?

Download our GDPR checklist.

uTRAC is compliant as a cloud service provider that processes the employee data uploaded by its EU/EEA customers.

Data Protection Officer uTRAC have appointed Data Protection Officer. In this role, our DPO will be performing regular internal audits to ensure that uTRAC’s Privacy Policies is fully implemented and adhered to.

Please contact if you have any queries.
Data Processing Agreement uTRAC's standard data processing agreement for EU/EEA customers is applied through our software terms of service.
Security Policies, Training & Enforcement uTRAC enforces strict data policies throughout its businesses with rigorous training and monitoring.
Risk Impact Assessments uTRAC implements a 'privacy by design' approach to developing our platform which includes extensive risk assessment to each product change.
Website Auditing uTRAC's commercial website ( is hosted separately to the uTRAC cloud platform and has been audited to ensure cookies and visitor tracking used to improve user experience adheres to GDPR. Website Privacy Policy
Data Separation All personal data uploaded by EU/EEA clients is not transferred outside of uTRAC's EU based servers.
3rd Parties uTRAC does not share any employee data uploaded by clients with any 3rd parties.
Encryption in Transit All data transferred to/from uTRAC is encrypted using 256b enterprise level SSL encryption.
Encryption at Rest Sensitive data remains hidden through pseudonymisation and asynchronous encryption when appropriate.
Testing uTRAC regularly scans for endpoint vulnerabilities and runs penetration tests to maintain data integrity.
Breach Monitoring & Notifications uTRAC utilize alarms and redundancies to monitor breaches. Customers will be notified the exact details of any data breach without delay, where feasible.
Consent, Transparency & 'Right to Be Forgotten' Employees may review and amend their personal data through the uTRAC platform while uTRAC enables its clients to request privacy policy 'opt-ins' from employees. uTRAC can also quickly assist with any requests made by employees to our clients for data amendment, review, or erasure.

uTRAC Updates Related to GDPR

In accordance to GDPR, we will soon be rolling out updated Terms of Service and Privacy Polices which will require all user acceptance prior to logging into the uTRAC platform. By agreeing to these updates, users of our platform will be entering into a new agreement of consent with us that will satisfy the requirements of GDPR in the scope of how uTRAC is utilized as a data processor and how we act as a data controller.

Similarly, we will be rolling out new functionality in the uTRAC platform for our clients to better guarantee compliance to GDPR in how they manage the data of current and future employees.

Staff Opt-In Tool

The uTRAC Staff Opt-In Tool will allow employers to communicate any changes to their employment contracts and privacy policies. Employees will be able to opt-in to any changes giving their employers and auditable tool to easily prove adequate consent was given for the holding and management of their employee data.

This tool is available on request and our team will be on-hand to assist any clients wishing to communicate data policy consent forms to their staff.

Unsubscribe Tracking

Customers that utilize uTRAC mail servers will now include unsubscribe links in the footer of outgoing emails from their uTRAC accounts. uTRAC will automatically prevent any emails being sent to individuals that unsubscribe from receiving future emails and notify our customers of each unsubscription.

The contents of this page are limited to general information and not detailed analyses of law or legal advice and are not intended to address specific legal queries arising in any particular set of circumstances.

Get in Touch

Schedule a Demo With One Of Our Workforce Management Experts