Security

Security is a first-class concern at Pythrack Technologies, in both the systems we build for clients and the infrastructure that supports this website. This page describes our practices and how to report a vulnerability if you discover one.

We apply security practices throughout the development process, not only at the end:

• Code review with security considerations for every change
• Dependency scanning to identify known vulnerabilities in third-party packages
• Environment separation: development, staging, and production are fully isolated
• Secrets management via environment variables — no credentials in source code
• Principle of least privilege for all service accounts and infrastructure roles

All data transmitted between users and Pythrack-operated websites and services is encrypted in transit using TLS 1.2 or higher. We enforce HTTPS across all domains and configure HSTS where appropriate.

Sensitive data stored in systems we operate is encrypted at rest using industry-standard algorithms. We do not store plaintext passwords — authentication credentials (where used in our products) are hashed using modern adaptive algorithms.

Production infrastructure is hosted on reputable cloud providers with strong security postures. Our practices include:

• Automated security patching for server operating systems and dependencies
• Regular backups with tested restore procedures
• Uptime monitoring with automated alerting for anomalies
• Access to production systems restricted to authorised Pythrack personnel only
• Network-level firewalling to limit exposure of non-public services

If you believe you have found a security vulnerability in any Pythrack-operated system, please report it to us privately before disclosing it publicly. We take all reports seriously and will respond promptly.

How to report: Send an email to pythrack@gmail.com with the subject line "Security Disclosure". Include a description of the vulnerability, the affected system, and steps to reproduce. We will acknowledge your report within 48 hours and keep you informed as we investigate and resolve the issue.

We ask that you give us reasonable time to address the issue before any public disclosure, and that you do not exploit the vulnerability or access data beyond what is necessary to demonstrate the issue.

For systems we build for clients, we apply the same security standards described above and tailor specific controls to the risk profile of each project. Security requirements are discussed during the discovery phase and documented in the project specification. We are happy to work with clients' own security teams or auditors.