At uTRAC, we understand that trust and data security is essential to the services that our customers provide. That's why we are committed to maintaining the highest of security standards for our software and our service.
As a centralized workforce management solution, uTRAC decreases the need for disparate systems giving businesses one solution for securely hosting and managing employee data. Our protection framework backed by industry recognized accreditation gives our customers peace of mind that their company data is secure and that they have the control they need for managing sensitive data adequately.
uTRAC is committed to maintaining SOC 2 certification in accordance with the American Institute of Certified Public Accountants (AICPA). uTRAC is audited independently by by Prescient Assurance, a leader in security and compliance attestation for B2B, SAAS companies worldwide.
For businesses that subscribe to use uTRAC for the provision of our Workforce Management or Applicant Management solutions, we are your data controllers. From the moment customer data is captured, we adhere to the strictest management of that data. In running our business, we utilize some 3rd party data processors (CRM’s and Business Analytical tools) but only for the management of customer’s business and contact information and never for processing our customer’s employee data. All 3rd party data processors adhere to uTRAC’s strict internal privacy policies which are guided by regulations and industry standards.
All customers can be provided with all held data and that data can be deleted upon ‘right to be forgotten’ requests where there is no legitimate requirement for us to hold that data.
uTRAC does not hold any credit/debit card details used for processing online subscription payments. These payments are processed through Stripe.
Businesses looking to utilize uTRAC as a processor of their employee data can rest easy that the uTRAC cloud infrastructure and security team is dedicated to the protection of that data. Keeping our customer’s data is the most important aspect of what we do and uTRAC’s security is fundamental to our business.
Please review our Terms of Service for more information about uTRAC’s Data Security Policies.
All data uploaded to uTRAC is hosted by Digital Ocean cloud hosting with our platform running from 3 facilities.
uTRAC customers based in the European Union have their data hosted in Digital Ocean servers located in their Amsterdam data center.
uTRAC customers based in the United Kingdom have their data hosted in Digital Ocean servers located in their London data center.
uTRAC customers based anywhere else in the world have their data hosted in Digital Ocean servers located in their New York data center.
uTRAC data is hosted in the cloud, allowing businesses to access relevant data on any device anywhere in the world where there is internet. As with all web-based technology, uTRAC cannot guarantee 100% availability however uTRAC has a total uptime of 99.9% (based on the last 365 days) and service availability can be reviewed via status.utrac.online.
uTRAC has a total uptime of 99.9%
uTRAC has implemented several systems and processes to ensure consistent service levels so that our clients can access their employee data when required. Our business is proud and committed to maintaining our 99.9% uptime status and rely upon formal response plans designed to mitigate risks and ensure quick recovery times.
In the rare occurrence of an incident, uTRAC will endeavour to communicate the current resolution status to our customers via status.utrac.online. All Incidents are followed by formal postmortems by our security team resulting in analysis and corrective actions.
The uTRAC platform is designed so that the controllers of our hosted data (our customers) are enabled to control levels of access and monitor changes to that data. Similarly, access may be given to employees to view and edit their related personal and sensitive data.
Our customers are responsible for the data they upload to uTRAC and that data is not shared to third parties. In the event of service suspension, uTRAC customers may export all data and expunge that data from uTRAC servers.
As part of our service, uTRAC support agents are available to users of uTRAC to assist with the use and operation of the uTRAC platform. All support agents are trained in data security and uTRAC management enforces strict data management policies to ensure personal data remains secured from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording and destruction.
As well as implementing strict policies for internally maintaining the integrity of customer data, uTRAC employs a variety of methods to maintain security from external actors.
All data transmitted to/from uTRAC is encrypted using 256b enterprise level SSL encryption.
Data to uTRAC applications are transmitted via API that require identification and authentication for any request from client side.
uTRAC enforces input validations to prevent actions such as SQL injection, scripted DDOS attacks, and cross-site scripting.
Sensitive data at rest is encrypted asynchronously where required and via pseudonymisation.
Each time uTRAC is accessed by an authorized user, the session variables are saved in secure path in the server to avoid session hijacking or session replay, all session has a unique session id to avoid “man in the middle” attacks.
System vulnerability scanners, otherwise known as penetration testing tools, used to automate security testing of code changes.
Strict permission controls that automatically refresh to prevent unauthorized changes to files located in our servers.
All production instances are hosted within secured virtual-private-servers (VPS) supported by Digital Ocean and AWS.
uTRAC does not run individual hosting environments for each customer, we do utilize rigorous policy enforcement and testing to ensure customers cannot access each other’s data.
Access to uTRAC databases is limited using SSH tunnel and all access requires password authentication that is strictly controlled and monitored to prevent unprotected access.
Sensitive data held in the database is encrypted.
Unauthorized access to administration interfaces is banned, no unauthorized access to configuration stores, only root can perform retrieval of clear text configuration data.
Customer data is backed up iteratively using a managed database allowing for quick disaster recovery.
