What is encrypted at rest
Beyond transport encryption and hashed credentials, TrackJet vaults third-party personal data — currently the sender address and subject of mail-in emails — with per-field authenticated encryption (XSalsa20-Poly1305 via libsodium). A database dump yields ciphertext for vaulted columns; the key lives outside the database.
Properties your auditor will ask about:
- Non-deterministic: equal plaintexts produce different ciphertexts (fresh nonce per value) — no equality leakage.
- Authenticated: tampered ciphertext or a wrong key decrypts to nothing, never to garbage.
- Versioned format (
tjv1:) — rotatable without ambiguity.
Crypto-shredding on deletion
Account deletion destroys the keys protecting the account's encrypted material. The practical consequence: backups containing the ciphertext become permanently unreadable for that user, without rewriting history or violating backup immutability. Deletion produces a receipt.
Minimisation by design
- Analytics: cookieless, daily-rotating irreversible session hashes, query strings never stored.
- Mail-in: bodies are not stored — only routing metadata, with sender/subject vaulted.
- Logs: referrers reduced to categories, user agents to device classes, geo to country.
What to request in a review
Ask for: the vault spec (this page + tjv1 format), the deletion receipt flow, the analytics design, and the audit-log sealing description ([security & operations](/docs/security-operations)). We answer specifics under NDA via [contact](/contact).