Security & Compliance Statement

Last Updated: March 13, 2026

At RefriTrak, we recognize that we are a mission-critical component of your compliance and environmental management strategy. We treat your data with the same level of security and rigor required by the enterprise organizations we serve.

1. Data Encryption

RefriTrak ensures that your data is protected both while moving across the internet and while sitting in our databases.

In Transit: All data sent to or from RefriTrak is encrypted using TLS 1.2 or higher over HTTPS. We enforce HSTS (HTTP Strict Transport Security) to ensure browsers never connect via an insecure connection.

At Rest: All application data is stored in MongoDB Atlas and Amazon S3, utilizing AES-256 industrial-grade encryption. This ensures that even in the event of physical hardware access, your data remains unreadable.

2. Infrastructure & Hosting

RefriTrak is built on top of world-class, SOC 2-compliant infrastructure providers.

Cloud Environment: Our application is hosted on Vercel and AWS. These data centers maintain rigorous physical security, including 24/7 monitoring, biometric access, and environmental controls.

Global Edge Network: By utilizing Vercel's Edge Network, we benefit from built-in DDoS protection and a sophisticated Web Application Firewall (WAF) to mitigate common web-based attacks (OWASP Top 10).

Tenant Isolation: All customer data is logically isolated by organization. Access controls are enforced at both the application and database level, ensuring that users can only access data belonging to their own organization. Cross-tenant data access is not possible by design.

3. Application Security

Authentication: RefriTrak supports passkey authentication (FIDO2/WebAuthn) — a phishing-resistant standard that replaces passwords with device-based biometrics or PIN. Passkeys are cryptographically bound to our domain and cannot be stolen or replicated via phishing attacks. Administrative access to our backend infrastructure requires Multi-Factor Authentication (MFA).

Employee Access Controls: Customer data is accessible only to a limited number of RefriTrak personnel who require it to operate and support the Service. Access is granted on a least-privilege basis, logged, and reviewed periodically. No employee may access customer data without a legitimate operational need.

Continuous Monitoring: We employ automated dependency and vulnerability scanning via GitHub's security tooling to identify and patch security risks in our dependencies before they reach production.

Code Integrity: All code changes are tracked via version control, require review, and undergo automated testing to ensure stability and security before deployment.

4. Compliance Status

• RefriTrak is currently in the SOC 2 Readiness Phase.
• Our internal controls are designed around the AICPA Trust Services Criteria for Security.
• We follow a "Security by Design" philosophy, ensuring that privacy and data integrity are baked into every feature we build.

5. Business Continuity

Backups: Encrypted backups of all critical data are performed daily via MongoDB Atlas continuous backup and stored across multiple geographic regions to ensure data durability and point-in-time recovery.

Uptime: We maintain a high-availability architecture to ensure your refrigerant logs are accessible whenever an inspector walks through your door.

6. Vulnerability Disclosure

If you believe you have discovered a security vulnerability in RefriTrak, please report it responsibly to support@refritrak.com. We ask that you give us reasonable time to investigate and remediate before any public disclosure.

We commit to:

• Acknowledging receipt of your report within 48 hours
• Providing an initial assessment and resolution timeline within 7 business days
• Keeping you informed of our progress
• Not pursuing legal action against researchers who act in good faith under this policy

7. Contact

For security-related inquiries or to report a vulnerability, please contact us at support@refritrak.com.