Not logged in - Login
< back

Tracker Software 'Safe' System Security Whitepaper

Manage Your Evidence and Assets in a Secure Environment

Thousands of customers already trust Tracker Products for managing their evidence and assets. Enhancing the security of your data and processes within SAFE is one of our top priorities, which is why we are constantly focusing our efforts on confidentiality, integrity, and availability by use of technology, security-minded service partners, and enhanced internal support processes. Information security is based on widely-accepted standards.

Physical and Logical Security

SAFE server, network, and storage infrastructure components are hosted at Amazon Web Services (“AWS”). Amazon’s data centers are built to exacting, rigorous standards and deliver exceptional security, power, connectivity, and environmental control. Hosting at AWS allows us to leverage a solid, securely managed infrastructure and platform base that is audited many times each year, trusted by millions of customers with varying security needs, and compliant with multiple security standards including SOC2, FedRAMP, CJIS , and ISO 27001.

Physical access to AWS facilities is strictly controlled, both at the parameter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. Data center access is only available to employees and contractors who have a legitimate business need for such privileges.

AWS data centers also have automatic fire detection and suppression systems and fully redundant electrical power systems that can be maintained without impact to operations. This includes uninterruptible power supply (UPS) units and generators. Climate is controlled to maintain a consistent operating temperature for all servers and other hardware, which prevents overheating and reduces the possibility of service outages.

When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals.

Availability, Redundancy, and Business Continuity

The SAFE system is hosted within multiple AWS availability zones for computing and storage infrastructure and platforms. This means SAFE servers, networks, and customer data span multiple, secure, data centers located and physically separated within a metropolitan region. SAFE will automatically fail-over to an alternate availability zone if computing at the primary zone is interrupted as well as balance processing between multiple availability zones. For capacity demands, SAFE utilizes elastic computing that allows automatic scaling of resources during busy workloads, redundant databases, and network load balancing.

While SAFE has redundancies built into the AWS infrastructure with real-time database replication within the primary AWS hosting region, SAFE customer data is also fully backed up daily (database logs are dumped every 5 minutes) and copies are available in the primary AWS region where SAFE is hosted and copies of the backups are also replicated to a secondary AWS region. In the unlikely event of the primary AWS region being totally down, the backup copy within the secondary AWS region could be utilized to restore the SAFE system within 24 hours with a recovery point objective of 5 minutes. System and Network Security

SAFE servers run a hardened OS with scheduled security patches applied to provide ongoing protection from exploits. All system access is logged and tracked for auditing purposes and AWS support resources with access to SAFE servers undergo a thorough background check. Tracker support personnel utilize unique credentials to access SAFE servers and backend processes as well as multi-factor authentication into the AWS environment.

Application Security

All access to SAFE is protected by Transport Layer Security (TLS 1.2) providing both server authentication and data encryption using 256-bit certificates. This ensures your data is safe, secure, and available only to registered users in your organization with the proper permissions.

Application penetration testing (Pen-Test) is routinely conducted by a 3rd party security firm. This includes the OWASP Top Ten (Open Web Application Security Project) vulnerabilities. Any exploits found during manual and automated penetration tests are addressed and retested to ensure they are remediated in a timely manner.

SAFE requires each user to have a unique username and password that must be entered each time a user logs on. Password strength parameters are enforced by the application and include: password lengths of 10-128 characters, passwords cannot contain 2 identical characters in a row, must contain at least 3 character types out of 4 (upper case, lower case, numbers, and special characters), and passwords cannot be “reused” for one year. In addition, accounts are locked after 5 failed login attempts for a duration of 10 minutes or until unlocked by an administrator.

SAFE supports single sign-on via SAML 1.0 and 2.0 as well as Multi-Factor Authentication via Google Authenticator. Both are optional and configurable by the client.

People and Processes

All Tracker resources that support SAFE must complete basic security awareness training as well as role-based training where applicable. We have developed and adhere to internal change, incident, and related management processes to enhance SAFE’s reliability and to maintain information security and incorporate these processes into all aspects of service delivery. Limited support resources at Tracker have access to Amazon Web Services infrastructure and platforms for SAFE. All access and changes to AWS SAFE services are logged and periodically reviewed for appropriateness.

Frequently Asked Questions

What AWS zone do we store data

  • All traffic and data for is stored in Amazon AWS US-West (Oregon). All traffic and data for is stored in Asia Pacific (Tokyo).

What levels of Security Certifications does AWS data centers offer

What types of data are we compliant to store?

How does SAFE Support Encryption at Rest?

  • The SAFE software system stores data in one of three data storage devices.

  1. All file attachments and media are stored in AWS S3. See AWS documentation for encryption of files in S3
  2. SQL Database – All data is stored on encrypted EBS volumes. See AWS documentation for details
  3. Mongo Database - All data is stored on encrypted EBS volumes. See AWS documentation for details

Do we charge extra for encryption at Rest?

  • No, this is a standard feature of our product delivery.

Can customers have a copy of the encryption key?

  • No, this is a managed function of AWS.

Hardware Change Management

  • AWS, as part of their infrastructure, handles all hardware change management. See AWS for more information.


  • Most of our software and data reside on services provided by AWS that automatically handles all patches. However, for machines we do control, we patch and update software OS and specific products every month.

Data & System Replication

  • All data and systems that support SAFE are replicated with failover options in place to minimize the impact of a single system failure. We are constantly monitoring each system to ensure health and will replace hardware immediately should there be any failure.

What backup procedures are in place?

  • All client stored data are not only stored on encrypted / replicated storage systems but all data is backed up daily and stored on AWS S3 and maintained for 30 full days.

What infrastructure is ‘shared’ v/s ‘dedicated’?

  • All of our client sites are ‘shared’ unless client specifically purchased a Private Cloud Option (PCO). In the PCO scenario we replicate a shared infrastructure but make it private for that client. This means that no hardware and data storage devices are shared but dedicated to a specific client. Additional charges apply to the PCO.

What are our options for long term retention of data?

  • Because SAFE, at its core, is a chain of custody tracking application, we never destroy any data collected. Even the logging, showing changes to data, is kept forever. The only client option to remove data is media payload files.

Do we support Multi Factor Authentication?

  • Yes, each login account can use Google Authenticator for MFA. Org Admins can track user usage in the User Admin area of the system.

Do we support Active Directory Authentication?

  • Yes, each Organization in the SAFE product can tie users back to a SAML 2.0 system.

How do we handle access control and least privilege?

  • Each account created in the SAFE system has no permissions by default. Org admins will assign systems permissions from there.

How do we monitor and report on account activity?

  • The SAFE system logs all activity to the system including every API request. We are constantly monitoring for brute force attacks and will disable a IP if any activity is found to be brute force in nature. We also document each valid login back to originating IP address. From there, with API activity logs, we can track all user steps within the system.

How is client data returned at the end of a contract?

  • All client data can be directly exported via the product UI. At no point, do we own or hold your data in such a way that you can’t retrieve it. After download of all your data you can request that we delete all your data from all storage systems.

How do we test SAFE for Security flaws?

  • Upon every release of SAFE, our QA team not only tests the product to make sure that our update did not break any existing feature but we also run those tests through a security program to look for code that might allow a hacker access to the program. While nothing is ever 100% perfect, this goes a long way to ensuring our code is not vulnerable to command hacks.

Service Level Agreement