Overview
Deer Track is operated by MB Travel Solutions, a Lithuanian company, and is hosted in the European Union. Security and data protection are built into how we design, build and run the Service rather than added afterwards. This page summarises the technical and organisational measures we apply; the formal, contractually-binding version lives in Annex II of our Data Processing Addendum.
Hosting & infrastructure
- Production systems are designed to run on hardened infrastructure in EU regions; see our Subprocessors for the providers involved.
- We aim to keep production, staging and development environments segregated.
- Network protection typically includes a Web Application Firewall and DDoS mitigation.
- Customer Data is stored within the EEA wherever possible; any onward transfer is governed by the EU Standard Contractual Clauses.
Encryption
- All data in transit is encrypted with TLS 1.2 or higher.
- Data at rest — databases, object storage and backups — is encrypted with AES-256 or equivalent.
- Secrets are held in encrypted secret management; no production secrets live in source control.
Access control
- We use multi-factor authentication for administrative access to production systems.
- Access follows least-privilege and role-based principles, with access reviews carried out periodically.
- Single sign-on is available on relevant plans, and we enforce password policies for accounts.
Application security
- We aim to follow a secure software-development lifecycle with code review and automated CI/CD checks.
- We monitor dependencies and scan production systems for known vulnerabilities.
- We aim to use independent specialists for periodic penetration testing of production systems as the platform matures.
- Card payments are handled by Stripe; we do not store full card numbers on our servers.
Monitoring & resilience
- Centralised logging and alerting, with access to logs restricted on a need-to-know basis.
- Encrypted backups, with restoration tested periodically.
- An incident-response process with defined roles, and a commitment to notify affected Customers of a personal-data breach without undue delay and in any event within 72 hours.
- Business-continuity and disaster-recovery procedures, reviewed periodically.
People & vendors
- Confidentiality obligations are written into employment and contractor agreements.
- Staff receive security and privacy training.
- Every subprocessor is security-reviewed before engagement and bound by written data-protection terms no less protective than our own — see Subprocessors.
Your data & privacy
You own your data. We process Customer Data only on your instructions and never sell it. You can export your data at any time using in-product tools, and we delete it after termination in line with our DPA. For how we handle personal data more broadly, see our Privacy Policy.
Responsible disclosure
We welcome reports from security researchers. If you believe you have found a vulnerability, please email security@deertrack.net with enough detail to reproduce the issue. Please give us a reasonable opportunity to investigate and remediate before any public disclosure, and avoid accessing or modifying other users’ data, degrading the Service, or running automated scanning that could disrupt it. We will acknowledge your report, keep you updated, and we will not pursue legal action against researchers who act in good faith under these guidelines.
Contact
Security questions, vulnerability reports and due-diligence requests: security@deertrack.net. For data-protection enquiries, write to privacy@deertrack.net.