Safe Security Whitepaper

Tracker Software 'Safe' System Security Whitepaper

Thousands of customers already trust Tracker Products for managing their evidence and assets. Enhancing the security of your data and processes within SAFE is one of our top priorities, which is why we are constantly focusing our efforts on confidentiality, integrity, and availability by use of technology, security-minded service partners, and enhanced internal support processes. Information security is based on widely-accepted standards. 

Physical Security

SAFE server, network, and storage infrastructure components are hosted at Amazon Web Services (“AWS”). Amazon’s data centers are built to exacting, rigorous standards and deliver exceptional security, power, connectivity, and environmental control. Hosting at AWS allows us to leverage a solid, securely managed infrastructure and platform base that is audited many times each year, trusted by millions of customers with varying security needs, and compliant with multiple security standards including SOC2, FedRAMP, CJIS , and ISO 27001.

Note: While our primary infrastructure is stored in AWS GovCloud, we provide private platforms in other AWS regions along with Azure (any region or Gov Cloud), Rackspace or Google.

Physical access to AWS facilities is strictly controlled, both at the parameter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. Data center access is only available to employees and contractors who have a legitimate business need for such privileges.

AWS data centers also have automatic fire detection and suppression systems and fully redundant electrical power systems that can be maintained without impact to operations. This includes uninterruptible power supply (UPS) units and generators. Climate is controlled to maintain a consistent operating temperature for all servers and other hardware, which prevents overheating and reduces the possibility of service outages.

When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals.

Logical Data Separation

The standard SAFE software platform is a multi-tenant database structure with security controls in place to prevent cross-client data access. For clients that require stand-alone machines, we can provide private cloud options at an extra cost.

Private Cloud Facility Options

For clients that desire a Private cloud system (separate machines and software in your own dedicated structure) we can store your machine at any hosting facility offered by Amazon and Azure including GovCloud options for both.

Availability, Redundancy, and Business Continuity

The SAFE system is hosted within multiple AWS availability zones for computing and storage infrastructure and platforms. This means SAFE servers, networks, and customer data span multiple, secure, data centers located and physically separated within a metropolitan region. SAFE will automatically fail-over to an alternate availability zone if computing at the primary zone is interrupted as well as balance processing between multiple availability zones. For capacity demands, SAFE utilizes elastic computing that allows automatic scaling of resources during busy workloads, redundant databases, and network load balancing.

While SAFE has redundancies built into the AWS infrastructure with real-time database replication within the primary AWS hosting region, SAFE customer data is also fully backed up daily (database logs are dumped every 5 minutes) and copies are available in the primary AWS region where SAFE is hosted and copies of the backups are also replicated to a secondary AWS region. In the unlikely event of the primary AWS region being totally down, the backup copy within the secondary AWS region could be utilized to restore the SAFE system within 24 hours with a recovery point objective of 5 minutes. System and Network Security

SAFE servers run a hardened OS with scheduled security patches applied to provide ongoing protection from exploits. All system access is logged and tracked for auditing purposes and AWS support resources with access to SAFE servers undergo a thorough background check. Tracker support personnel utilize unique credentials to access SAFE servers and backend processes as well as multi-factor authentication into the AWS environment.

Application Security

All access to SAFE is protected by Transport Layer Security (TLS 1.2) providing both server authentication and data encryption using 256-bit certificates. This ensures your data is safe, secure, and available only to registered users in your organization with the proper permissions.

Application penetration testing (Pen-Test) is routinely conducted by a 3rd party security firm. This includes the OWASP Top Ten (Open Web Application Security Project) vulnerabilities. Any exploits found during manual and automated penetration tests are addressed and retested to ensure they are remediated in a timely manner.

SAFE requires each user to have a unique username and password that must be entered each time a user logs on. Password strength parameters are enforced by the application and include: password lengths of 10-128 characters, passwords cannot contain 2 identical characters in a row, must contain at least 3 character types out of 4 (upper case, lower case, numbers, and special characters), and passwords cannot be “reused” for one year. In addition, accounts are locked after 5 failed login attempts for a duration of 10 minutes or until unlocked by an administrator.

SAFE supports single sign-on via SAML 2.0 as well as Multi-Factor Authentication via Google Authenticator. Both are optional and configurable by the client.

People and Processes

All Tracker resources that support SAFE must complete basic security awareness training as well as role-based training where applicable. We have developed and adhere to internal change, incident, and related management processes to enhance SAFE’s reliability and to maintain information security and incorporate these processes into all aspects of service delivery. Limited support resources at Tracker have access to Amazon Web Services infrastructure and platforms for SAFE. All access and changes to AWS SAFE services are logged and periodically reviewed for appropriateness.

Tracker Products is willing to take part in any agency or state required background vetting process. Please see your sales rep if this needs to be done.

CJIS Stanards

CJIS standards are rigid guidelines to ensure that the customer (you) and your data are secured and protected. CJIS guidelines were written by the FBI specifically geared towards law enforcement agencies that are using, storing and securing 'CJI' data.

There are five primary requirements to being in line with CJIS standards.

Frequently Asked Questions

What AWS zone do we store data

What levels of Security Certifications does AWS data centers offer

What types of data are we compliant to store?

How does SAFE Support Encryption at Rest?

Do we charge extra for encryption at Rest?

Can customers have a copy of the encryption key?

Hardware Change Management


Data & System Replication

What backup procedures are in place?

What infrastructure is ‘shared’ v/s ‘dedicated’?

What are our options for long-term retention of data?

Do we support Multi-Factor Authentication?

Do we support Active Directory Authentication?

How do we handle access control and least privilege?

How do we monitor and report on account activity?

How is client data returned at the end of a contract?

How do we test SAFE for Security flaws?

Service Level Agreement

How are passwords stored in SAFE

Can any third party (your service providers) access your data, and if so, how?

How do we protect against DDoS attack

Secure VPN Tunnel

For clients that would like a secure VPN tunnel, we can use the AWS VPN cloud option to create a secure channel. Our network security team will need information about your network to make this happen.

How often to we roll out updates and when?

What are the minimum client requirements?

There are no plugins or ActiveX controllers for Safe clients. We suggest running the most current version of Chrome, Firefox or Safari. If you must use Internet Explorere, you must have at least v11. We highly suggest Edge if you must use IE.