Security overview
This page describes the security posture we target for the Tracking deployment. Replace organisation-specific details (regions, subprocessors, retention) as needed for your environment.
Encryption in transit (TLS)
All connections between your browser and the Service use modern TLS (HTTPS). Redirect plain HTTP to HTTPS at the edge; disable weak ciphers and obsolete protocols on load balancers and web servers.
Geographic access controls
Application traffic is restricted to New Zealand and Australia at the network edge where technically feasible (for example firewall or WAF rules blocking unexpected country codes). Administrative access should likewise be constrained and monitored.
Security logging & alerting
Security-relevant events (authentication failures, privilege changes, unusual traffic patterns, errors from edge protections) are logged centrally with timestamps and correlation identifiers. Alerts notify on-call staff when thresholds or suspicious sequences are detected so incidents can be investigated quickly.
Multi-factor authentication (MFA)
Users can enable MFA (for example time-based one-time codes from an authenticator app) for stronger account protection. We encourage MFA for all accounts and especially for administrators and trainers handling client data.
Backups
Databases and critical configuration are backed up on a regular schedule with encrypted off-site or segregated storage. Restore drills are performed periodically to verify recoverability within your recovery time and recovery point objectives.
Third-party LLM processing
AI-assisted features (calorie estimates and lifestyle reviews) call third-party LLM APIs over authenticated server-side connections. Depending on configuration, the provider is Anthropic (Claude) or Alibaba (Qwen 3.5 or another Qwen model). User content sent for inference should use TLS end-to-end to our application and from our infrastructure to the LLM provider (or through a proxy we control). API keys for Anthropic, Alibaba, or the proxy must not be exposed to browsers or mobile clients.
Log AI requests at an appropriate level (for example provider, success/failure, latency, and correlation id) without retaining full meal text longer than needed for support and debugging. See privacy โ third-party AI for what users are told about data sent to these providers.
Encryption at rest
Stored application data and backups use encryption at rest provided by the hosting platform or disk-level encryption (for example volume encryption on database servers and object storage with server-side encryption).
Report a vulnerability
If you discover a security issue, please contact us at [replace with security@your-domain] with enough detail to reproduce the problem. We appreciate responsible disclosure and will work with you on coordinated fixes.