KeyTrackSign in

Security

Last updated: June 20, 2026

This page describes the security controls KeyTrack has in place today. It's maintained by Creative Automated Simulations and is not an independent certification.

Authentication

  • Email + password sign-in, with passwords hashed by our authentication provider.
  • Session tokens with automatic refresh; you can sign out from any device by changing your password.
  • Password reset flow with single-use, time-limited links.
  • Team invites are tied to a specific email address — only that email can accept.

Tenant isolation

Every record in KeyTrack — properties, key sets, QR tokens, history, members and invites — is tagged with a business_id. Database row-level security policies enforce that one business workspace can never read or modify another's data, even by mistake on our part. Inside a business, role-based permissions further separate what admins and staff can do.

Roles inside a business

  • Admins can add properties, manage key sets, invite or remove team members, change branding, export data, and delete the business.
  • Staff can scan, check keys in and out, and view history.
  • Property unlock model: only admins, or staff who currently have at least one key set checked out for a property, can see that property's notes and sensitive details.

Audit trail

Every check-in and check-out is logged with timestamp, the user who performed it, and (when provided) the recipient or notes. Admins can review history at any time and export the full audit log.

Data protection

  • All traffic is served over HTTPS.
  • Data at rest is encrypted by our managed database and storage providers.
  • Passwords are hashed using industry-standard algorithms; we never see your plaintext password.
  • Payment card data is handled by Paddle and never touches our servers.

Backups and availability

Our managed database provider takes regular automated backups. KeyTrack is a hosted service and may have occasional planned or unplanned downtime; we do not currently offer a contractual uptime SLA. Status and incidents are communicated by email to admins when they affect normal use.

Capacity and fair use

We enforce per-business caps on keys, properties, and team members (see our Acceptable Use Policy) and a short cool-down between scans of the same QR to prevent accidental double-checkouts.

Your responsibility

KeyTrack is a tracking tool. The business is responsible for the physical custody and security of the actual keys, codes, locks and properties. Choose strong account passwords, keep team membership tidy, and rotate credentials when staff leave.

Reporting a vulnerability

If you believe you've found a security issue, please email creativeautomatedsimulations@gmail.com with details. Please don't share publicly until we've had a reasonable chance to fix it.