TariffTrackerSecurity
Last updated March 10, 2026

Security & Data Handling

How TariffTracker.ai is built, how your BOM data is protected, and how to report security issues responsibly.

🏗

Infrastructure

  • ·Hosted on a global edge network — SOC 2 Type II certified infrastructure.
  • ·Database: managed Postgres with row-level security (RLS) enforced at the database layer.
  • ·All API routes run server-side — no client-side credentials or secrets are exposed.
  • ·Hosted on Vercel with HTTPS enforced on all routes.
  • ·Security headers configured via next.config.mjs on all responses: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Strict-Transport-Security.
🔐

Authentication

  • ·Authentication powered by Clerk — an SOC 2 Type II certified identity provider.
  • ·Passwords are hashed by Clerk using industry-standard bcrypt; TariffTracker never stores plaintext credentials.
  • ·Session tokens are short-lived and rotated on each request.
  • ·OAuth sign-in (Google) available as a passwordless alternative.
  • ·Signed-in users can only access their own saved BOMs — enforced at both the API and database levels via RLS.
📦

Data Handling

  • ·BOM data you upload or paste is processed server-side and stored only if you explicitly save a project.
  • ·Saved BOM projects are tied to your user ID and are never visible to other users.
  • ·BOM data is never sold, shared with third parties, or used to train AI models.
  • ·Unsaved BOM sessions are not persisted — data exists only in browser memory during your session.
  • ·Part numbers you look up are written to a lookup-history table for your own history feature — this data is isolated per user.
  • ·Email addresses collected via the subscribe and waitlist forms are used only for product updates. To stop receiving emails, reply to any message or email us at pro@tarifftracker.ai.
🔒

Encryption & Transit Security

  • ·All data in transit is encrypted with TLS 1.2 or higher.
  • ·Data at rest in our cloud database is encrypted using AES-256 at the storage layer.
  • ·API responses include appropriate Cache-Control headers to prevent sensitive data from being cached by intermediate proxies.
✏️

Data Correction

  • ·You can delete any saved BOM project from the BOM tool at any time.
  • ·To request deletion of your account and all associated data, contact TariffTracker in writing — account self-deletion is also coming to account settings.
  • ·We will process deletion requests within 30 days and confirm via email.
  • ·Lookup history can be cleared from within your account settings (coming soon).
🐛

Vulnerability Disclosure

  • ·We follow responsible disclosure. If you discover a security vulnerability, please contact pro@tarifftracker.ai.
  • ·Include a description of the issue, steps to reproduce, and your contact information.
  • ·We will acknowledge your report within 48 hours and work toward a fix within 30 days for critical issues.
  • ·We do not operate a bug bounty program at this time, but we do credit researchers in our changelogs (with permission).
  • ·Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.