Trust & Safety
Security & Compliance
We use practical safeguards for authentication, integrations, and data handling. Here's what is in place today.
🔒
HTTPS Encrypted
TLS encryption for data in transit in production
🛡️
OAuth 2.0
Never store your passwords — use OAuth tokens only
💳
Stripe Payments
Stripe processes card payments; BurnTrack does not store full card numbers
🔐
Token Encryption
Shopify and QuickBooks OAuth tokens are encrypted before storage
Authentication & Authorization
BurnTrack uses OAuth for integrations and email/password authentication for user accounts.
✓
OAuth 2.0 tokens for Shopify and QuickBooks — we never see your login credentials
✓
Secure password hashing with bcrypt and salting
✓
Email verification and password reset token flows
✓
Server-side session management with explicit logout
✓
Role-based team permissions (owner/admin/member)
Data Storage & Encryption
Sensitive credentials and integration tokens are encrypted, and core user access is controlled through authenticated sessions.
✓
Shopify and QuickBooks OAuth tokens are encrypted at rest (Fernet)
✓
QuickBooks access tokens are refreshed before expiry during API calls
✓
Shopify integration requests read-only scopes for orders/products/inventory/customers
✓
Application-level rate limiting is enabled for login, signup, and AI chat
✓
Account and integration records include operational timestamps
Integration Security
Integration access is permissioned and scoped to support data sync and analysis workflows.
✓
Shopify: OAuth 2.0 with read-focused scopes (orders, products, inventory, customers)
✓
QuickBooks: OAuth 2.0 with encrypted access and refresh tokens
✓
QuickBooks tokens are refreshed automatically when nearing expiry
✓
Stripe: checkout and billing are handled by Stripe
✓
Team activity logs are available for team-management actions
Infrastructure & Uptime
BurnTrack is hosted on Railway and includes health checks and operational logging.
✓
Hosted on Railway
✓
Application health-check endpoint for runtime status
✓
Operational logging for integration and sync flows
✓
No formal public uptime SLA is currently offered
✓
Infrastructure edge protections depend on hosting-provider defaults
Privacy & Data Protection
Your data is used to operate BurnTrack features. We aim to keep data use limited and transparent.
✓
We do not sell customer data to advertisers
✓
Payment processing is delegated to Stripe
✓
AI features use Anthropic's Claude as a third-party provider
✓
You can request help with account/data deletion via support
✓
We have not yet published third-party security audit reports
Compliance Status (Current)
📋
SOC 2
Not certified yet
🌍
Privacy Requests
Handled via support workflow
🔒
Independent Security Audit
Not currently published
💳
Payment Security
Card-data compliance is managed by Stripe
Incident Response
If a security issue is reported, we triage, investigate, and communicate remediation updates.
• Triage and acknowledgement of credible reports
• Investigation, containment, and fixes based on severity
• User communication when incidents materially affect customer data
• Post-incident review to reduce repeat issues
© 2026 BurnTrack. All rights reserved.
Powered by Claude AI from Anthropic