Security & Confidentiality Statement
TrakOps (MS Consolidated Pty Ltd ACN 688 688 011, as trustee for the MS Trust, ABN 20 330 986 807) — Last updated: 4 July 2026
Our customers store competitively sensitive motorsport data on TrakOps — vehicle designs, setup data, and telemetry. This Statement describes how we protect it. It is incorporated into our Terms of Service and forms Annex 2 of our Data Processing Addendum.
1. Confidentiality commitments
- Customer Data is treated as your confidential information. We do not sell it, share it with other customers, or use it to build competing products.
- Customer Data is disclosed only to the service providers needed to run the platform (listed in our Privacy Policy), each under contractual confidentiality and data protection obligations.
- AI-powered features run on the Anthropic API under Anthropic's commercial terms: Customer Data processed through these features is used solely to deliver the feature and is not used to train Anthropic's models. Our team never includes Customer Data in feedback or bug reports submitted to AI providers.
- Access to Customer Data by our personnel is limited to what is necessary to operate the platform and resolve support requests you raise.
- Customer workspaces are logically separated: tenant isolation is enforced at the database layer through row-level security policies, so that no customer can access another customer's data. Any attempt to circumvent this separation is a serious violation of our Acceptable Use Policy.
2. Technical measures
- Encryption in transit: all connections to the platform use TLS (HTTPS).
- Encryption at rest: Customer Data stored in our Supabase-hosted database and storage is encrypted at rest (AES-256), including backups.
- Payments: processed entirely by Stripe, a PCI-DSS Level 1 certified provider. Full card numbers never touch our systems.
- Hosting: database and file storage with Supabase in Tokyo, Japan (AWS ap-northeast-1); application hosting via Vercel. Both providers maintain their own independently audited security programs (SOC 2 / ISO 27001).
- Authentication: passwords are stored hashed, never in plain text.
- Backups: automated backups of Customer Data are maintained by our database provider and expire on a rolling basis.
3. Organisational measures
- All personnel and contractors with access to production systems are bound by written confidentiality obligations.
- Production access is limited to authorised personnel on a least-privilege basis.
- Code changes are version-controlled (GitHub) and reviewed before deployment.
- We review the security posture of service providers before adopting them.
Independent penetration testing and formal certification (such as SOC 2 or ISO 27001) are on our roadmap as the platform grows.
4. Incident response and breach notification
If we become aware of a security incident affecting your Customer Data, we will notify the affected account owner without undue delay (within 48 hours for confirmed personal data breaches, per our DPA), describe the nature and scope of the incident and the remediation steps, and cooperate with your own notification obligations. We comply with the Australian Notifiable Data Breaches scheme and, where applicable, GDPR breach notification requirements.
5. Data lifecycle
Your data remains yours (Terms of Service, clause 3). You can export it during your subscription using the tools in the Service, and request a full export at any time during your subscription and for 30 days after termination — we deliver it within 14 days of a request. Following that window, data is deleted from production systems within 60 days and expires from routine backups within 90 days thereafter, except where law requires retention.
6. Reporting security issues
Report suspected vulnerabilities or security concerns to contact@trakops.com.au. We welcome good-faith reports and will not pursue researchers who report privately and give us reasonable time to fix issues before any disclosure.
Security contact: contact@trakops.com.au