Security is foundational to Subtrack. We handle sensitive data — API keys, financial information, and business-critical renewal dates — and we take that responsibility seriously.
Encryption
All data is encrypted in transit using TLS 1.3. Data at rest is encrypted using AES-256 via Google Cloud Platform's default encryption. API credentials for third-party integrations are stored encrypted in Firestore with server-side access controls.
Authentication
Authentication is handled by Firebase Authentication, which supports industry-standard protocols including OAuth 2.0. We support email/password and Google SSO. Passwords are hashed and salted by Firebase Authentication and never stored in plaintext.
Access Controls
Firestore security rules enforce row-level security — users can only access their own data. Organization data is scoped by membership and role (Owner, Admin, Member, Viewer). API routes verify Firebase ID tokens server-side on every request.
Financial Data
We partner with Plaid for financial data connections. We never see, store, or have access to your banking credentials. Plaid is SOC 2 Type II certified, and data is transmitted via their encrypted API. We only receive transaction-level data (merchant, amount, date) needed to identify subscriptions.
Infrastructure
Subtrack runs on Google Cloud Platform (GCP) with Firebase. GCP maintains SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, and FedRAMP certifications. Data is hosted in the United States (us-central1) with automatic redundancy.
Vulnerability Reporting
If you discover a security vulnerability, please report it to security@getsubtrack.com. We take all reports seriously and will respond within 48 hours. We ask that you give us reasonable time to address the issue before public disclosure.
Questions?
For security-related inquiries, contact us at security@getsubtrack.com.
EDC Properties Inc., 10301 Ranch Road 2222, Austin, TX 78730.