1. Security Overview
Security is foundational to Tracknesty. Our platform handles sensitive employee monitoring data — including screenshots, activity logs, and attendance records — and we treat that responsibility seriously. This page explains the technical and organisational measures we use to protect your data and keep the platform secure.
2. Data Architecture
Tracknesty is a self-hosted platform. This means your monitoring data — screenshots, logs, and attendance records — is stored on your own server or VPS, not on Tracknesty's infrastructure. The desktop agent communicates exclusively with your own backend instance. No monitoring data passes through Tracknesty's servers. This architecture eliminates a significant class of third-party data breach risk.
3. Encryption
All data transmitted between the desktop agent and your backend is encrypted using TLS 1.2 or higher. We do not support unencrypted connections. For cloud-hosted deployments, data at rest is encrypted using AES-256. Database credentials, API keys, and secrets are stored using environment variables — never hardcoded. Screenshot files are stored with restricted filesystem permissions and are not publicly accessible without authentication.
4. Authentication & Access Control
Tracknesty uses JWT-based session authentication with secure, HttpOnly cookies. Sessions expire automatically after inactivity. The platform enforces 5 role-based permission levels: • Super Admin — full platform access • Admin — manage members, view all reports • Manager — view assigned teams only • HR — attendance and correction requests • Member — self-service only Administrators can revoke access immediately. All login events are logged with timestamps and IP addresses.
5. Desktop Agent Security
The Tracknesty desktop agent (Windows) is designed with security and transparency in mind: • The agent is always visible in the system tray — it is not hidden from the monitored user. • The agent communicates only with the configured backend URL — no external third-party endpoints. • Agent integrity is verified on startup. If the process is tampered with or suspended abnormally, the system logs an alert. • Anti-bypass detection identifies common manipulation tools such as mouse jigglers, auto-clickers, and process suspension attacks. • The agent does not log keystrokes or capture clipboard content.
6. Screenshot Handling
Screenshots are captured locally on the agent device and uploaded to your backend over an encrypted TLS connection. They are stored server-side with access controls that restrict viewing to authorised administrators and managers. Screenshot intervals are configurable — fixed or randomised. We recommend using randomised intervals to discourage predictable work patterns around known capture times. You can delete individual screenshots or bulk-delete by date range from the admin dashboard at any time.
7. Third-Party Dependencies
Tracknesty uses a minimal set of third-party services: • Stripe — payment processing (PCI-DSS Level 1 certified). We never store card numbers. • Email provider — transactional emails only (account alerts, invoices). We do not use third-party analytics SDKs, advertising trackers, or session recording tools on the admin dashboard or agent. All open-source dependencies are regularly audited for known CVEs.
8. Security Updates & Patching
We monitor security advisories for all dependencies used in Tracknesty. Critical security patches are released as priority updates. For self-hosted deployments, you are responsible for applying updates to your server environment (OS patches, database updates). We recommend enabling automatic security updates on your hosting environment. For cloud-hosted accounts, we apply security patches automatically during maintenance windows.
9. Responsible Disclosure
If you discover a security vulnerability in Tracknesty, please report it responsibly: Email: support@tracknesty.com Subject: "Security Vulnerability Report" Please include: • A description of the vulnerability • Steps to reproduce • Potential impact We will acknowledge your report within 48 hours and aim to resolve critical issues within 7 days. We ask that you do not publicly disclose the vulnerability until a fix has been released.
10. Contact
For security questions, vulnerability reports, or penetration testing inquiries: Email: support@tracknesty.com Response time: within 48 hours for security reports