TrackerAIVeterinary Intelligence

Legal

Security & Compliance

Last updated: May 2025

Security is foundational to TrackerAI. Veterinary professionals trust us with sensitive clinical queries, and we take that responsibility seriously. This page describes our current security architecture, data handling practices, and the controls we have in place to protect the platform and its users.

1. Infrastructure Security

Cloud Hosting

The TrackerAI platform is hosted on modern cloud infrastructure with physical security managed by our providers. Compute and storage resources are isolated per environment (development, staging, production) with strict access controls between them.

Network Security

  • All traffic between clients and our servers is encrypted using TLS 1.2 or higher
  • HTTP requests are automatically redirected to HTTPS
  • Network firewalls and security groups restrict inbound access to authorised services only
  • Database connections are made over encrypted channels and are not exposed to the public internet

2. Application Security

Authentication

  • Passwords are hashed using bcrypt with a per-user salt — plaintext passwords are never stored
  • API keys are stored as SHA-256 hashes; the raw key is shown only once at creation time
  • Session tokens are signed JWTs with short expiry windows and server-side invalidation support
  • API key authentication uses constant-time comparison to prevent timing attacks

API Security

  • All API endpoints require authentication (Bearer JWT or X-API-Key header)
  • Rate limiting is applied per user to prevent abuse and protect service availability
  • Input validation is enforced on all API request bodies before processing
  • CORS policies restrict cross-origin requests to authorised origins

Dependency Management

We regularly audit our software dependencies for known vulnerabilities using automated scanning tools. Security patches are applied promptly, and dependencies are pinned to reviewed versions in our build pipeline.

3. Data Security

Data in Transit

All data transmitted between your browser or API client and TrackerAI servers is encrypted with TLS. This includes diagnostic queries, responses, account data, and API key operations.

Data at Rest

Data stored in our databases is protected by encryption at rest, managed by our database provider. Backups are also encrypted and access-controlled.

Sensitive Data Handling

We advise users not to submit personally identifiable information about pet owners or patients. TrackerAI is designed to receive anonymised clinical descriptions. Where personal data is inadvertently submitted, it is handled under our Privacy Policy.

4. Access Controls

Internal access to production systems follows the principle of least privilege:

  • Only authorised team members have access to production infrastructure
  • Database access is restricted to specific service accounts
  • All internal access is logged and auditable
  • Credentials and secrets are managed via secret management systems, not stored in code

5. Incident Response

We maintain an internal incident response procedure. In the event of a confirmed data breach affecting personal data:

  • We will notify affected users within 72 hours of becoming aware of the breach
  • We will report to the UK Information Commissioner's Office (ICO) where required by law
  • We will provide clear information on what data was affected and what steps we have taken

6. Responsible Disclosure

We welcome security researchers who responsibly disclose vulnerabilities in our platform. If you discover a potential security issue, please report it to us privately at hello@trackerai.ai before any public disclosure. Please include:

  • A clear description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any proof-of-concept code or screenshots (if applicable)

We commit to acknowledging your report within 5 business days and working with you in good faith to resolve the issue. We ask that you do not exploit the vulnerability or access data beyond what is necessary to demonstrate the issue.

7. Compliance

TrackerAI is operated in accordance with:

  • UK GDPR & Data Protection Act 2018 — governing personal data processing
  • PECR (Privacy and Electronic Communications Regulations) — governing cookies and electronic marketing

We are actively working toward additional certifications as the platform matures. Updates will be reflected on this page.

8. Contact

For security questions or to report a vulnerability, contact us at hello@trackerai.ai.