Security Measures

1. Web Application Security

Tracker Boot is protected by Amazon Web Application Firewall (WAF) with multiple layers of filtering, including: (i) OWASP Top 10 protections (e.g., injection, cross-site scripting, broken authentication); (ii) maximum body size limit rules to help prevent oversized payload attacks; (iii) file upload size limit rules to block abnormally large files; (iv) rate limiting rules to mitigate denial-of-service (DoS) and brute-force attacks; and (v) SQL injection protection rules to detect and block malicious input targeting databases.

2. Authentication and Session Management

(i) SSO Login (Google) is enforced to streamline authentication and reduce credential-based attack risks. (ii) Once authenticated, Tracker Boot uses secure session cookies to maintain login status, reducing the need for repeated authentication and minimizing exposure of login credentials.

3. Organizational Controls

(i) Role-based access control (RBAC) within the Tracker Boot environment; (ii) continuous monitoring for abnormal activity; (iii) encryption of data in transit (TLS) and at rest; and (iv) regular internal audits and security reviews.

4. AI Security & Data Controls

AI Hosting and Execution

AI-assisted features are powered by Anthropic models accessed through Amazon Bedrock. Bekind Labs uses Amazon Bedrock Cross-Region Inference profiles, which may automatically route inference requests originating from the Asia Pacific (Tokyo) region to other AWS Regions included in the applicable inference profile for processing. Accordingly, prompts, model inputs, and model outputs may be processed outside the Asia Pacific (Tokyo) region. Retrieval, indexing, and storage components used for AI-assisted features are maintained within Bekind Labs’ AWS environment in the Asia Pacific (Tokyo) region, and data remains stored in the source region unless otherwise stated.

Tenant and Project Isolation

AI processing, retrieval (including semantic search and retrieval-augmented functionality), caches, and related application data are scoped by tenant and project to help prevent cross-tenant or cross-project access and data leakage. Retrieval and indexing for semantic search are maintained within Bekind Labs’ AWS environment and are project-scoped.

Role-Based Access Control (RBAC) Inheritance

AI-assisted capabilities inherit and enforce the same permissions as the requesting user. AI-assisted actions are limited by the user’s existing authorization level and project access.

Prompt Abuse and Injection Defense

We apply safeguards designed to detect and prevent prompt injection attempts, system prompt extraction, database or schema probing, jailbreak attempts, attempts to retrieve data outside an authorized project scope, unauthorized requests to delete or alter data, and other abusive or prohibited requests. We also apply restrictions to certain categories of outputs, including requests for individual productivity or performance rankings, where such requests are not permitted by product policy or applicable authorization controls.

Logging Redaction, Minimization, and Telemetry

To support continuity of AI-assisted experiences and related workflows, submitted prompts and AI-generated outputs may be stored as part of conversation history or related application state associated with AI-assisted features. Where appropriate and feasible, logs are minimized and sensitive credentials, such as API keys and access tokens, are masked before storage or logging. Certain account-associated identifiers, such as user names or email addresses, may remain associated with records where reasonably necessary to provide, secure, maintain, or administer the Services. We may also collect operational telemetry related to AI-assisted features, including request type, token usage, and certain latency, performance, and error-related events, to support monitoring, troubleshooting, security, and reliability.

AI Interaction Data Retention

Performance, tracing, error, and reliability telemetry associated with AI-assisted features may be retained as reasonably necessary to operate the Services, maintain security, prevent abuse, debug issues, and improve reliability. AI agent traces, transactions, and related diagnostic data associated with AI-assisted features may be retained for up to thirty (30) days. Other operational and technical logs relating to AI-assisted features may be retained for longer periods where reasonably necessary for service operations, security, incident investigation, abuse prevention, troubleshooting, legal compliance, or dispute resolution. Where appropriate and feasible, we minimize retention and apply redaction measures, such as masking sensitive information, to reduce exposure of personal or confidential data in logs.

No Foundation Model Training

Customer content processed through AI-assisted features is subject to applicable contractual restrictions governing provider use and is not used to train the foundation models used to provide those AI-assisted features, except where expressly agreed in writing and permitted by applicable law.

Auditability

We maintain records of certain AI-related requests and operational events within authorized project scope to support security monitoring, troubleshooting, and audit needs. Such records may include request type, timestamp, token usage, and certain performance or error-related events, as reasonably necessary for service operation, security, and compliance purposes.

5. Third-Party Dependencies

Tracker Boot relies on trusted third-party open-source libraries and services. A complete and up-to-date list of current dependencies is maintained separately. We also maintain a Sub-processor List for third-party providers that may process Customer Personal Data, including providers supporting AI-assisted features.

These measures reflect our commitment to maintaining a secure environment for product development workflows within Tracker Boot.