At Traxo, our most important asset is our relationship with you. Traxo is committed to maintaining the confidentiality, integrity and security of any personal information we access about our users.
We are proud of our privacy practices and the strength of our site security and want you to know how we protect your information and use it to provide to you the services available at the Internet web site www.traxo.com and its associated mobile applications (the “Service”).
Traxo stresses its privacy and security standards to guard against identity theft and provide security for your account information and other data. We constantly re-evaluate our privacy and security policies and adapt them as necessary to deal with new challenges.
- Traxo services are hosted in cloud service providers that are audited and certified against industry standards.
- For example, AWS is compliant with the PCI, HIPAA, SSAE 16, SOC 2, and SOC 3 standards among others. A full list of AWS certifications is available at aws.amazon.com/compliance.
- Traxo personnel do not have physical access to the infrastructure and systems hosting customer data.
- System configuration and patching occurs through an automated process, backed by source code management for change management, tracking and review.
- WAN-facing systems are limited and segmented from the rest of the network.
- Multiple factors of authentication (MFA) are required for operator access.
- Systems access is logged and tracked for auditing purposes.
- Secure destruction policies apply for all sensitive information.
- Fully documented change-management procedures are utilized.
- Numerous monitoring solutions are utilized to prevent and eliminate attacks.
- Access a copy of Traxo’s pen testing results.
Data Security and Backups
- Passwords are protected from brute force attacks with rate-limiting.
- Passwords are hashed with bcrypt.
- Sensitive information is filtered from logs.
- Login information is always sent over TLS.
- Backups and failover systems reside in different geographic locations.
- No physical backups of customer data are created (i.e. tapes or paper).
Encryption in Transit
- All private data exchanged with Traxo is always transmitted over TLS.
- Insecure communications with Traxo public services are automatically redirected to use TLS-protected endpoints.
- Known vulnerable protocols, such as SSL and some versions of TLS, are disabled. TLS 1.2 is required.
Encryption at Rest
- Network attached storage (AWS EBS volumes, etc) are provisioned as encrypted volumes.
- Items held in object storage are encrypted.
- Database storage and backups are encrypted.
Credit Card Safety
- Traxo never stores or receives credit card and payment information on its systems.
- Traxo utilizes PCI-certified vendors for credit card processing.
Performance and Availability
- A dedicated status site available at traxostatus.com and provides real-time system metrics, operational status, and current and historical incident status.
Reporting Security Issues
- Traxo takes any reports of vulnerabilities seriously. If you encounter a security issue with any Traxo services, please report it responsibly by contacting firstname.lastname@example.org. Traxo's PGP key is available at keybase.io/traxo.
- It is against the Traxo Terms of Service to run automated security scanning tools against any Traxo service without prior approval.