NPDESTracker
Log in

Docs · Security and privacy

Security and privacy in plain language.

What NPDESTracker does, does not do, and asks you not to upload.

Tenant isolation and role-based access

Each customer (city, county, district, authority) runs in its own logical tenant. Every database read and write is scoped to a tenant identifier at the query layer, with row-level separation. Role-based access (admin, coordinator, inspector, viewer) is enforced at every tier.

No cross-tenant analytics

We do not run cross-tenant analytics, anonymized benchmarks, or industry-comparison reports across customers. Operational analytics surfaces (MS4 Metrics, the audit log workspace, IDDE response timelines, the readiness rollup) run on a single tenant's own records.

No staff surveillance

NPDESTracker does not provide inspector productivity scores, keystroke logging, location tracking outside the inspection record itself, or staff ranking dashboards. Per-record attribution and timestamps exist for audit purposes, not as performance metrics.

No data sale

We do not sell customer data and do not share customer records with advertisers, data brokers, or marketing lists.

Portable exports

Records export as CSV, JSON, and GeoJSON on every tier so the data stays portable. The audit log is also CSV-exportable for regulator requests.

Smart Draft and AI

Smart Draft runs in a default deterministic mode that does not contact an external AI provider. An optional external AI mode can be configured per tenant; when on, only a field-whitelisted slice of the record context is sent. Customer data does not train cross-tenant models.

What you should not upload

Please do not upload Social Security numbers, payment card numbers, protected health information, or other sensitive personal data. NPDESTracker is built for MS4 program records, not for storing regulated personal data.

Public records considerations

Records inside a customer tenant may be subject to public records requests (FOIA and state equivalents) in the customer's jurisdiction. NPDESTracker is designed for graceful redaction at export, so the program can produce responsive copies without exposing unrelated material.

An honest disclaimer

We do not currently hold third-party certifications such as SOC 2 or ISO 27001, and we do not claim them. For the architectural detail your IT and procurement teams will ask about, see /security and /privacy.

Need help? Email admin@npdestracker.com.