Security Overview | TrackQUAL

This page provides an overview of the principal security controls used by Apperley Holdings Ltd. trading as TrackQUAL ("TrackQUAL", "we", "us" or "our") in connection with the TrackQUAL platform and related services.

This page is intended as a practical security summary. It does not describe every internal control, operational procedure, or confidential technical safeguard. For further assurance information, questionnaires, or implementation-specific discussion, please contact the TrackQUAL team.

1. Security Approach

This section explains the overall philosophy behind the platform's security controls.

TrackQUAL applies a defence-in-depth approach to security. This means security is not dependent on one control alone. Instead, multiple controls are applied across identity, access, tenancy context, infrastructure, application logic, data handling, monitoring, and operational response.

Our security approach is guided by the following principles:

least-privilege access wherever reasonably possible;
controlled separation of customer and tenant contexts;
secure-by-default application and infrastructure configuration;
protection of data confidentiality, integrity, and availability; and
ongoing review and improvement of controls over time.

2. Access Controls and Tenancy Segregation

This section addresses access control and tenant segregation directly.

TrackQUAL is designed as a tenant-aware platform. Access to the service is not only based on whether a user is signed in, but also on what role they hold, which tenant or customer context they belong to, and which actions they are authorised to perform.

Current controls include:

role-based access controls to restrict features and actions based on the user's role;
tenant-aware access handling designed to ensure users operate within the correct organisational context;
customer and tenant administration controls to manage which users can access which environments;
least-privilege principles for operational and administrative access; and
separation of duties for more sensitive or higher-impact functions where appropriate.

At a high level, the platform is intended to support logical separation between tenant environments within a shared application architecture. This page should be read alongside our Architecture Overview for additional context on the platform model.

3. Authentication Controls

This section addresses how identities are verified and protected.

TrackQUAL applies controls intended to reduce the risk of unauthorised access and credential misuse.

Current authentication-related controls include:

strong password requirements and credential-handling practices;
secure sign-in flows and session handling;
email verification support within account lifecycle processes;
rate limiting and anti-abuse protections on authentication-related flows; and
temporary authentication challenge handling for stronger login workflows where used.

4. Two-Factor Authentication (2FA)

This section addresses 2FA capability directly.

TrackQUAL supports two-factor authentication as an additional layer of sign-in assurance beyond passwords. Where enabled, users must complete a second verification step during authentication.

This capability is intended to reduce the likelihood of account compromise where a password alone is insufficient protection.

Current 2FA-related controls include:

support for second-factor verification during login;
short-lived challenge flows and expiry controls;
security-aware handling of failed verification attempts; and
support for stronger authentication workflows for users and scenarios requiring additional assurance.

5. Encryption Approach

This section addresses encryption in transit and at rest.

TrackQUAL is designed to use encryption in transit and encryption at rest as part of its security model.

At a high level:

data transmitted between clients and the service is intended to be protected in transit using TLS;
data stored within managed platform services is protected at rest where supported and configured through the relevant infrastructure or platform services;
secure transport and service integration patterns are used where platform components communicate across service boundaries; and
encryption is treated as one layer within a broader control model that also includes access restriction, monitoring, and operational safeguards.

This summary should not be read as a statement of every implementation parameter or every underlying platform encryption setting, but as the high-level approach used by TrackQUAL.

6. Session and Application Security Controls

This section covers the controls around active sessions and in-app behaviour.

TrackQUAL uses session-aware controls to manage authenticated access and reduce the risk of inappropriate persistence or context confusion.

Current controls include:

secure session management practices;
controlled handling of authentication and active tenant context;
cookie and token handling appropriate to the function being performed;
anti-abuse controls around public and authentication-related endpoints; and
application-layer constraints intended to reinforce authorisation and role boundaries.

7. Logging and Monitoring

This section addresses logging and monitoring directly.

TrackQUAL uses logging, monitoring, and operational visibility controls to support service oversight, security review, and incident response.

Current practices include:

recording relevant account, security, and workflow-related events;
operational monitoring and alerting to help identify unusual behaviour or service issues;
audit-oriented event history for selected security-sensitive actions; and
review of relevant system and service events to support investigation and remediation where needed.

Logging and monitoring are intended to support both day-to-day operational reliability and the identification of potential security issues.

8. Backup, Restore, and Resilience

This section addresses backup and restore expectations.

TrackQUAL is operated with resilience and continuity in mind. While resilience depends on both application design and underlying managed services, our approach includes measures intended to support recoverability and service continuity.

At a high level, this includes:

use of managed cloud services for core platform components;
backup and recovery planning for key data and service components;
controlled maintenance and operational processes;
practical restore and recovery considerations as part of service operations; and
ongoing review of resilience and continuity measures as the platform evolves.

This page is not intended to act as a formal availability commitment or service level agreement.

9. Incident Management and Support Model

This section addresses incident response and support directly.

TrackQUAL maintains an operational approach to incident handling and service support intended to support timely review, response, and remediation when issues arise.

At a high level, this includes:

identification and triage of security or operational incidents;
investigation and containment activity where appropriate;
recovery and remediation planning;
support engagement and internal operational escalation where required; and
follow-up review of issues to inform control improvement over time.

Where TrackQUAL acts as a processor for customer personal data, any personal data breach handling is also addressed through our Data Processing Addendum and related contractual commitments.

10. Infrastructure and Platform Hardening

This section covers cloud and platform-level hardening.

TrackQUAL is operated using Azure-aligned infrastructure and managed service patterns. Our security posture includes a combination of cloud-native protections, controlled access, and ongoing operational hardening.

Current measures include:

restricted operational and administrative access paths;
managed hosting, storage, and database service usage;
patching and maintenance processes;
secure configuration practices; and
monitoring and audit-oriented controls around key platform activity.

11. Data Protection and UK Data Residency Position

This section addresses the GDPR/DPA and UK residency concerns at a high level.

TrackQUAL's security controls sit alongside its data protection framework. Our legal and privacy position is documented more fully in our Privacy Policy, Data Processing Addendum, and Subprocessors page.

At a high level:

TrackQUAL is generally a processor for customer platform data processed on behalf of customers;
TrackQUAL acts as an independent controller for limited categories of account, billing, support, security, and operational data as described in our privacy documentation;
we aim to operate with a UK-aligned hosting and data handling model where configured and applicable; and
where third party providers or cross-border processing are involved, the position is described through our contractual and privacy documentation rather than this page alone.

This page is not intended to replace the DPA or act as a complete statement of international transfer or data residency terms.

12. Continuous Improvement

This section explains that security is continuously reviewed and improved.

TrackQUAL treats security as an ongoing process rather than a fixed state. We continue to review controls, identify areas for strengthening, and improve the platform over time.

This includes:

ongoing review of access and authorisation controls;
security testing and remediation activity;
further strengthening of operational and identity controls; and
planned enterprise-focused improvements such as stronger identity and governance capabilities.

13. Contact and Assurance

This section explains how to request more detail.

If you require further assurance information, additional detail about our security controls, or a security questionnaire response, please contact the TrackQUAL team.

Apperley Holdings Ltd. trading as TrackQUAL
Company number: 15798690
Burcombe Road, Chalford, GL6 8BH
Email: info@trackqual.com
Telephone: 01453 374453