← Back to Home
The platform underneath

How Tracker Pull Stays Up, Safe, and in Your Control

Two-factor auth. Multi-org isolation. Webhook-tracked email. CDN-backed media.

The engineering details that decide whether your organization can actually trust a platform with a season's worth of registrations, results, and rulebook. Every one of these is built in — not bolted on.

Identity & Access

Who Can Touch Your Data

Every account is hardened by default. No "we'll add security later" — it shipped with the platform.

Audit Log Details view for an event status change from not_started to official, showing event type, timestamp, user, tags, organization, model type, IP address, user agent, the field-level diff, and raw JSON audit payload
Audit log entry — every admin action records who, what, when, the field-level diff, and the full request context.

Two-Factor Auth (TOTP)

Admins can enroll any TOTP authenticator app — Google Authenticator, 1Password, Authy. Recovery codes are issued at enrollment and regenerable on demand.

Email Verification & Login Throttle

New accounts verify their email before they can act. Login attempts are rate-limited per address. Brute-forcing the front door isn't on the menu.

Tamper-Evident Audit Log

Every admin action — who, what, when, and what changed — is recorded. Browse the log to answer "who edited that result?" without guessing.

Lock or Disable on the Spot

Departing official? Compromised credential? Lock the account in one click. Disable for a long pause. Audit log keeps a record of who pulled the trigger.

Role & Policy-Based Authorization

Built on Laravel's gates and policies. Every controller action checks "can this user, in this org, do this thing?" — server-side, every time.

Password Reset That Doesn't Leak

Reset tokens are scoped, single-use, and expire fast. Reset attempts are throttled separately from logins to prevent enumeration.

Multi-Tenant Architecture

Your Data, Your Org, Your Boundary

Tracker Pull was rebuilt from the ground up to host multiple sanctioning bodies side-by-side without ever mixing their data.

Per-Org Data Isolation

Every model — people, vehicles, events, registrations, classes, formulas, fees — is scoped to an organization. Org context is enforced by middleware on every authenticated request. You can't accidentally see another org's data; the queries simply won't return it.

One Login, Many Orgs

An official who works two circuits doesn't need two accounts. Membership in multiple orgs is first-class. Switching takes one click and re-scopes everything on screen.

Organization switcher dropdown showing a search field and a list of pulling associations the user is a member of
Email Deliverability

"Did the Email Actually Arrive?"

The platform sends through SMTP2Go and records the answer to every send. No more "I never got the confirmation" guesswork.

Email Deliverability dashboard showing delivered, bounce, spam complaint, rejected, and suppressed counts over the last 30 days, plus a Recent Delivery Events table with timestamps, event types, recipients, source, and reason, and an Address Suppression management area
Deliverability dashboard — webhook-tracked delivery, bounce, complaint, and suppression events from SMTP2Go.

Webhook-Tracked Sends

Every outbound message is correlated to its provider event stream. Delivered, opened, bounced, complained, suppressed — recorded on the message and queryable from the deliverability dashboard.

Automatic Suppression

Hard bounces and spam complaints add the address to a suppression list automatically. Your sender reputation stops degrading the moment a bad address turns up.

Per-Member Send Visibility

When a competitor calls asking where the confirmation went, you can pull up the message timeline and tell them — without digging through provider dashboards.

Storage & Media

Durable Storage, Fast Delivery

Files don't live on a single web server praying for an outage. They live on object storage and are served from a global CDN edge.

CDN-Backed Object Storage

Photos, documents, logos, and event assets sit on durable object storage (Backblaze B2) and are fronted by a global CDN (Cloudflare). Gallery thumbnails are fast for a fan in Iowa or Saskatchewan.

Admin-Controlled Maintenance Mode

When the platform needs a moment — schema change, deploy, recalculation — admins flip on maintenance mode. Visitors see a friendly notice instead of a stack trace.

Observability

If Something Breaks, We Know Before You Do

Error tracking, queue heartbeats, log viewer, and live system health checks — all integrated into the admin so the operator doesn't need SSH access to diagnose.

Error Tracking (Sentry)

Every unhandled exception is captured with stack trace, request context, and breadcrumbs. We see the issue before a support ticket is filed.

Queue Heartbeat

Background workers emit a heartbeat. If the queue stalls — emails not sending, points not recalculating — alerting fires before you notice.

In-App Log Viewer

Application logs are searchable and filterable from the admin. No "ask the developer for a tail of the log file" round trip.

Live System Health Checks

Database, cache, queue, storage, mail driver — each reports status to a dashboard. Green means run the event. Red means we already know.

Engineering Discipline

What Keeps the Lights On

A platform is only as trustworthy as the discipline behind the code. Here's what shipping a change actually looks like.

2,000+ Automated Tests

The full test suite runs on every change. Feature tests cover real HTTP requests through the controllers, models, and policies. Migrations are verified end-to-end. Nothing ships red.

Static Analysis

PHPStan/Larastan runs at level 5 with a tracked baseline. Type errors and null-safety bugs are caught at the keyboard, not in production at 8pm on event night.

CI Pipeline on Every Push

GitHub Actions runs tests, code-style checks (Pint), and a composer security audit on every push. Dependabot proposes dependency updates with their own test runs. Stale code is loud.

Comfortable yet?

If your org has a security or vendor-review checklist, we'd love to walk through it. Get in touch.

Contact Us