TrailTrack by Boardrooms to Backroads
Template — review with legal counsel. This document is a starting point and must be reviewed and adapted by a qualified attorney for your jurisdiction(s) before you rely on it.

Security Overview

Last updated: 22 June 2026

This Security Overview describes the technical and organisational practices Boardrooms to Backroads Consulting LLC (“B2BC”, “we”, “us”) uses to protect the Content that the Customer and its Users entrust to TrailTrack (the “Service”). It is provided for transparency and describes our practices and commitments; it is a template intended to be reviewed with legal counsel and does not create warranties or guarantees beyond those in the Terms of Service. No system can be guaranteed to be perfectly secure.

1. Shared-responsibility model

Security is a shared responsibility. We are responsible for securing the Service’s infrastructure, application, and the practices described below. The Customer is responsible for how it configures and uses the Service, including managing User access, enforcing strong authentication, protecting its own credentials and API keys, and deciding what Content and Personal Data to submit. Customer responsibilities are summarised in Section 13.

2. Data encryption

  • Encryption in transit: connections to the Service are protected with industry-standard Transport Layer Security (TLS / HTTPS).
  • Encryption at rest: Content stored in our managed database and file storage is encrypted at rest by our infrastructure providers.

3. Authentication and access control

  • Access to the Service is invite-only; Users join a workspace by invitation.
  • Sign-in supports magic-link email authentication and OAuth-based sign-in with supported identity providers.
  • Users may optionally enable time-based one-time-password (TOTP) two-factor authentication and passkeys / WebAuthn for stronger sign-in.
  • Sessions are managed with secure, time-limited tokens, and Users can sign out to end a session.

4. Authorisation and tenant isolation

  • Data is isolated per workspace and enforced at the database layer using row-level security (RLS), so that one Customer’s Content is not accessible to another.
  • Access within a workspace is scoped by membership and role, so Users see only the spaces, lists, and items they are authorised to access.
  • Private spaces, lists, and per-item privacy settings further restrict sensitive Content to the members the Customer authorises.

5. Application security

  • We set security-related HTTP response headers, including cross-origin isolation headers (such as Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy), to reduce classes of browser-based attacks.
  • We apply input handling and output-encoding practices intended to mitigate common web vulnerabilities, and authenticate API routes and verify webhook signatures.
  • We manage third-party dependencies and apply updates to address known vulnerabilities as part of routine maintenance.
  • Service credentials are handled with least privilege and kept server-side; secrets and integration tokens are not exposed to the browser or client code.

6. File storage security

Uploaded files are stored in our managed file storage. Sensitive buckets, such as those holding attachments and receipts, are kept private and are served through short-lived signed URLs rather than being publicly accessible, so that access is limited to authorised Users.

7. Infrastructure and hosting

The Service runs on managed, reputable infrastructure providers. We use Supabase for the Postgres database, authentication, and file storage, and Vercel for application hosting and content delivery. These providers maintain their own security programmes and physical and network controls. A current list of the providers that Process Personal Data on our behalf is published at Subprocessors.

8. Logging, audit trail, and monitoring

  • We maintain audit logging of significant account and security-relevant events, with configurable retention to support compliance.
  • We use error monitoring and operational logging to detect and address issues affecting the Service.
  • Logs are retained for a limited period and access to them is restricted to authorised personnel.

9. Backups, availability, and resilience

Our managed infrastructure providers perform regular backups of the database, supporting recovery in the event of data loss. The Service is provided on an “as is” and “as available” basis as described in the Terms of Service; while we work to maintain availability, we do not guarantee uninterrupted or error-free operation unless expressly agreed in writing.

10. Vulnerability management and responsible disclosure

We welcome reports of suspected security vulnerabilities. Please report them in good faith to security@boardroomstobackroads.com with enough detail for us to reproduce and assess the issue. When testing, please act in good faith: only access data that belongs to you, do not run disruptive, automated, or denial-of-service style tests against the Service, and do not access, modify, or destroy other Users’ data. We will not pursue legal action for good-faith security research that respects these guidelines and applicable law, and we ask that you give us a reasonable opportunity to remediate before any public disclosure.

11. Incident response and breach notification

We maintain practices for investigating and responding to security incidents. If a Personal Data Breach affecting Customer Content occurs, we will notify affected Customers without undue delay and in accordance with our Data Processing Addendum and applicable law, and we will cooperate with Customers in their own assessment and notification obligations.

12. Personnel and access practices

Personnel who can access systems holding Personal Data are bound by confidentiality obligations and are granted access on a least-privilege, need-to-know basis. Administrative and service credentials are limited, kept server-side, and managed so that access is restricted to what is necessary to operate and support the Service.

13. Compliance posture

We design our practices with reference to widely recognised data-protection and security principles, and we support compliance features such as audit logging, configurable retention, and data export and deletion (in Settings → Compliance). We do not currently hold a formal SOC 2 or ISO 27001 certification; such certifications are [planned / not yet certified], and we will update this page if our certification status changes. We do not claim any certification we have not obtained.

14. Customer responsibilities

  • Enforce strong authentication, including enabling 2FA or passkeys where appropriate.
  • Protect account credentials, API keys, and any bring-your-own-key (BYOK) AI keys.
  • Manage member access and roles, and remove access promptly when it is no longer needed.
  • Review and configure private spaces, lists, and per-item privacy for sensitive Content.
  • Avoid uploading prohibited data or Content that the Customer is not authorised to Process, and avoid special categories of Personal Data unless appropriate safeguards are in place.

15. Changes to this overview

We may update this Security Overview as our practices evolve. The “Last updated” date above reflects the most recent revision. Material changes will be reflected here, and continued use of the Service after an update constitutes acceptance of the revised overview.

16. Contact

Security questions and vulnerability reports may be sent to security@boardroomstobackroads.com. Privacy enquiries may be sent to privacy@boardroomstobackroads.com or to our data-protection contact at dpo@boardroomstobackroads.com. See also the Privacy Policy, the Data Processing Addendum, and the list of Subprocessors.

TrailTrack is a product of Boardrooms to Backroads Consulting LLC. Patent pending.