How Tracker Pull Stays Up, Safe, and in Your Control
Two-factor auth. Multi-org isolation. Webhook-tracked email. CDN-backed media.
The engineering details that decide whether your organization can actually trust a platform with a season's worth of registrations, results, and rulebook. Every one of these is built in — not bolted on.
Who Can Touch Your Data
Every account is hardened by default. No "we'll add security later" — it shipped with the platform.
Two-Factor Auth (TOTP)
Admins can enroll any TOTP authenticator app — Google Authenticator, 1Password, Authy. Recovery codes are issued at enrollment and regenerable on demand.
Email Verification & Login Throttle
New accounts verify their email before they can act. Login attempts are rate-limited per address. Brute-forcing the front door isn't on the menu.
Tamper-Evident Audit Log
Every admin action — who, what, when, and what changed — is recorded. Browse the log to answer "who edited that result?" without guessing.
Lock or Disable on the Spot
Departing official? Compromised credential? Lock the account in one click. Disable for a long pause. Audit log keeps a record of who pulled the trigger.
Role & Policy-Based Authorization
Built on Laravel's gates and policies. Every controller action checks "can this user, in this org, do this thing?" — server-side, every time.
Password Reset That Doesn't Leak
Reset tokens are scoped, single-use, and expire fast. Reset attempts are throttled separately from logins to prevent enumeration.
Your Data, Your Org, Your Boundary
Tracker Pull was rebuilt from the ground up to host multiple sanctioning bodies side-by-side without ever mixing their data.
Per-Org Data Isolation
Every model — people, vehicles, events, registrations, classes, formulas, fees — is scoped to an organization. Org context is enforced by middleware on every authenticated request. You can't accidentally see another org's data; the queries simply won't return it.
One Login, Many Orgs
An official who works two circuits doesn't need two accounts. Membership in multiple orgs is first-class. Switching takes one click and re-scopes everything on screen.
"Did the Email Actually Arrive?"
The platform sends through SMTP2Go and records the answer to every send. No more "I never got the confirmation" guesswork.
Webhook-Tracked Sends
Every outbound message is correlated to its provider event stream. Delivered, opened, bounced, complained, suppressed — recorded on the message and queryable from the deliverability dashboard.
Automatic Suppression
Hard bounces and spam complaints add the address to a suppression list automatically. Your sender reputation stops degrading the moment a bad address turns up.
Per-Member Send Visibility
When a competitor calls asking where the confirmation went, you can pull up the message timeline and tell them — without digging through provider dashboards.
Durable Storage, Fast Delivery
Files don't live on a single web server praying for an outage. They live on object storage and are served from a global CDN edge.
CDN-Backed Object Storage
Photos, documents, logos, and event assets sit on durable object storage (Backblaze B2) and are fronted by a global CDN (Cloudflare). Gallery thumbnails are fast for a fan in Iowa or Saskatchewan.
Admin-Controlled Maintenance Mode
When the platform needs a moment — schema change, deploy, recalculation — admins flip on maintenance mode. Visitors see a friendly notice instead of a stack trace.
If Something Breaks, We Know Before You Do
Error tracking, queue heartbeats, log viewer, and live system health checks — all integrated into the admin so the operator doesn't need SSH access to diagnose.
Error Tracking (Sentry)
Every unhandled exception is captured with stack trace, request context, and breadcrumbs. We see the issue before a support ticket is filed.
Queue Heartbeat
Background workers emit a heartbeat. If the queue stalls — emails not sending, points not recalculating — alerting fires before you notice.
In-App Log Viewer
Application logs are searchable and filterable from the admin. No "ask the developer for a tail of the log file" round trip.
Live System Health Checks
Database, cache, queue, storage, mail driver — each reports status to a dashboard. Green means run the event. Red means we already know.
What Keeps the Lights On
A platform is only as trustworthy as the discipline behind the code. Here's what shipping a change actually looks like.
2,000+ Automated Tests
The full test suite runs on every change. Feature tests cover real HTTP requests through the controllers, models, and policies. Migrations are verified end-to-end. Nothing ships red.
Static Analysis
PHPStan/Larastan runs at level 5 with a tracked baseline. Type errors and null-safety bugs are caught at the keyboard, not in production at 8pm on event night.
CI Pipeline on Every Push
GitHub Actions runs tests, code-style checks (Pint), and a composer security audit on every push. Dependabot proposes dependency updates with their own test runs. Stale code is loud.
Comfortable yet?
If your org has a security or vendor-review checklist, we'd love to walk through it. Get in touch.
Contact Us