Government-grade security. Independently verified.
Art Trackers is built on infrastructure with established, audited security programs. Every component is a managed service with published compliance documentation.
What Matters to Your IT Team
Security posture at a glance.
Data in transit: HTTPS / TLS 1.2+ enforced at CDN and API layer.
Data at rest: AES-256 encryption via Supabase.
MFA: Available and agency-enforceable via Clerk.
SSO: Google OAuth, Microsoft OAuth. SAML 2.0 on request.
Agency data isolation: Clerk Organizations (auth layer) + Supabase RLS (database layer). Two independent layers.
Audit log: All actions logged with timestamp and user ID. Append-only.
Data residency: All data in US — AWS us-east-1 (Northern Virginia).
SOC 2 Type II: Supabase and Clerk certified. Reports under NDA.
Data export: Full CSV and JSON at any time, no fee.
DPA: Available on request.
Agency Data Isolation
Two independent layers of data separation.
Layer 1 — Clerk Organizations (Authentication)
Every staff member belongs to a Clerk Organization. Authentication tokens carry the organization ID. No staff member can authenticate as part of another agency.
Layer 2 — Supabase Row-Level Security (Database)
Every database query is filtered by organization ID at the database level. Even if an application error occurred, the database would return no cross-agency data. Two independent layers mean no single point of failure.
Infrastructure
Built on audited platforms.
Supabase PostgreSQL
SOC 2 Type II certified. Hosted on AWS us-east-1. AES-256 encryption at rest.
Clerk Authentication
SOC 2 Type II certified. MFA, Google OAuth, Microsoft OAuth, SAML 2.0 on request.
Vercel CDN
Global CDN. HTTPS enforced. No server infrastructure to manage on your side.
Stripe Payments
PCI DSS Level 1 certified. Art Trackers never stores card data.
Preparing for IT review?
We respond to security and procurement enquiries within one business day.