Security at CryoTrak

CryoTrak monitors high-value pharmaceutical and biotech shipments. We take the security of that data seriously, and we believe the way to demonstrate that is to be specific about what we do today, what we are working towards, and how to reach us if you find something we missed.

Where we run

The CryoTrak public website (cryotrak.com), demo (demo.cryotrak.com), and contact-form backend all run entirely on Cloudflare infrastructure: Cloudflare Pages for static content, Cloudflare Pages Functions for the contact-form API, Cloudflare D1 for submission storage, and Cloudflare Email Routing for inbound mail. We do not operate our own servers, and we do not host customer telemetry data on third-party clouds beyond Cloudflare. Cloudflare maintains SOC 2 Type II, ISO 27001, ISO 27018, and PCI DSS certifications; details are published at cloudflare.com/trust-hub.

Encryption

• In transit: All traffic to and from cryotrak.com is served over TLS 1.3, with HSTS enforced. Modern cipher suites only; no fall-back to legacy SSL or weak ciphers. Live
• At rest: Cloudflare D1 encrypts data at rest using AES-256. Inbound submission content is stored encrypted. Live
• Device telemetry: The CryoTrak monitoring device sends shipment telemetry over authenticated TLS to the platform backend. Symmetric keys are unique per device and rotatable. Live

Access control

• Production access: Only the CryoTrak founding team has access to production infrastructure, gated by Cloudflare account 2FA and per-resource API tokens with least-privilege scopes. Live
• Customer access (when applicable): Pilot deployments use email-based access controls via Cloudflare Access. SSO and SCIM provisioning are on the roadmap for production customers. Roadmap
• Audit trail: Every administrative action against production infrastructure is logged by Cloudflare and retained for 90 days. Live

Data handling

• What we collect: Telemetry from monitoring devices (temperature, sublimation rate, GPS, sensor data) tagged with the shipment identifier the customer assigns. We do not collect, store, or process Protected Health Information (PHI). The shipper knows what is in the box; CryoTrak sees only the environmental conditions around it.
• Where it lives: United States, on Cloudflare infrastructure. Cross-border transfers, where they occur, are covered by Standard Contractual Clauses with our subprocessors.
• Retention: Inquiry submissions through cryotrak.com are retained for two years after our last interaction unless you ask us to delete them sooner. Customer telemetry retention is governed by the Master Services Agreement signed with each customer.
• Subprocessors: A short list, currently Cloudflare and Google Workspace. Listed in our Privacy Policy. We notify customers of additions in advance.

Compliance posture

CryoTrak is an early-stage company building toward formal certifications appropriate for pharmaceutical cold chain logistics. Honest snapshot of where we are:

• 21 CFR Part 11: Platform exports are generated to be 21 CFR Part 11-compliant (chain-of-custody, electronic signatures, audit trail). Validation work is in progress alongside our first paid pilot. Roadmap
• GDP (Good Distribution Practice): The CryoTrak monitoring product is designed to support GDP-aligned cold chain documentation. Customer-specific GDP qualification is performed during pilot. Live
• SOC 2 Type II: Targeted for completion within 12 months of first revenue. Underlying infrastructure (Cloudflare) is already SOC 2 Type II certified. Roadmap
• HIPAA: CryoTrak does not process PHI, so HIPAA does not apply to our current product. If a customer use case ever requires it, we would sign a Business Associate Agreement and harden accordingly. Conditional
• GDPR / UK GDPR: We respond to data subject requests within 30 days. See the Privacy Policy for details. Live

Secure development

• Source code is held in private Git repositories with branch protection and required reviews on production-deploy branches.
• Cloudflare Pages auto-deploys from the production branch only. Preview deployments for any other branch are not publicly indexed.
• Secrets (API keys, signing keys) are stored in Cloudflare environment variables and never committed to source control.
• Dependencies are reviewed before adoption and kept current. No automated open-source dependency adoption.

Vulnerability disclosure

If you believe you have found a security vulnerability in cryotrak.com, demo.cryotrak.com, or any CryoTrak system, we want to hear from you. Send the details to [email protected] with “Security disclosure” in the subject line. We commit to:

• Acknowledging your report within two business days.
• Working with you to understand and reproduce the issue.
• Keeping you updated as we investigate and remediate.
• Not pursuing legal action against good-faith security research, provided you do not access data beyond what is necessary to demonstrate the issue, do not degrade service, and give us reasonable time to respond before public disclosure.

We do not currently operate a paid bug bounty programme. If you would like public credit for a valid finding, we are happy to add you to a published acknowledgements list.

Incident response

In the event of a confirmed security incident affecting customer data, we will notify affected customers without undue delay and in any event within 72 hours of confirmation, in line with GDPR Article 33 expectations. The notification will include what we know, what we are doing, and what (if anything) you should do.

Questions for procurement

If you are evaluating CryoTrak for a pilot or production deployment and your procurement team has a security questionnaire (SIG, CAIQ, custom), email [email protected] with “Vendor security review” in the subject line. We will return a completed questionnaire and a current security overview deck within five business days.