Sharing a record means handing master-quality audio to people outside your label. Trackdeck is built so that every play and every download stays gated, traceable and revocable — without making the work feel like a vault.
Every stream and download runs through a server-side check before a single byte is served. There is no “share the file and hope” path.
Each download carries an inaudible tag unique to its recipient, plus an audit log — so a leak points back to a specific link, not a guess.
Set expiry, add a password, or revoke a link the moment a deal falls through. A platform kill-switch can pause everything if needed.
This page describes how Trackdeck protects the music you put into it, in plain terms. We have tried to be precise rather than dramatic: below is what the system actually does today, and where the honest limits are.
Nothing in Trackdeck is served from a public file URL. Audio, artwork and downloads are never directly readable from storage — they are issued behind a server-side gate that checks who is asking before it responds.
For members, that gate is a verified email account. For external reviewers — managers, A&R, journalists, the artist — there is no account at all: they open a share link, and the link’s token is exchanged server-side for a short-lived media grant of roughly two hours. When that grant expires, playback simply needs to re-authorise against the link. The underlying signed URLs are short-lived by design, so a copied address goes stale quickly and cannot be passed around as a permanent backdoor.
A share link is the unit of trust in Trackdeck, and each one is configurable on its own terms:
Pages for unreleased records are marked noindex, so they are not surfaced by search engines while a project is still private.
When a recipient downloads a track, Trackdeck embeds an inaudible, per-recipient tag into the audio. It is designed to survive a lossy MP3 transcode, which is the most common way a file changes hands after it leaves your label. If a track surfaces somewhere it shouldn’t, that tag is intended to point back to the specific link it came from.
Alongside the watermark, every download is written to an audit log. To respect the privacy of reviewers, the visitor’s IP address is stored as a salted hash rather than a raw address — enough to correlate activity, without keeping a plain record of where people were.
A note on honesty: no audio watermark is unbreakable. A determined attacker with the right tools can degrade or strip one. The goal here is strong deterrence and practical traceability for the realistic ways music leaks — not a guarantee against every adversary.
Members of a label workspace sign in with verified email accounts. Roles follow a least-privilege model: people get the access their job needs and nothing beyond it, so a commenter cannot quietly become an administrator. External reviewers stay out of your workspace entirely — they only ever see the deck a link points at.
Trackdeck runs on Google Cloud and Firebase, hosted in the EU region europe-west1. Access is enforced server-side by Firestore security rules together with signed-URL issuance, so the rules that decide “can this person see this?” live on the server, not in the browser where they could be bypassed.
Beyond individual links, Trackdeck has a platform-level kill-switch. In an incident — a suspected breach, an abused account, scheduled maintenance — it can pause new shares, downloads and signups at once and show a maintenance banner, giving us a clean way to stop the flow while we investigate rather than scrambling link by link.
Every stream and download passes a server-side gate. Members sign in with verified email accounts and least-privilege roles. External reviewers open a share link, which exchanges its token for a short-lived (~2h) media grant. Each link carries its own role, optional password and expiry, and can be revoked instantly. No public file URLs — signed URLs are short-lived.
Downloads carry an inaudible, per-recipient forensic tag embedded at download time, designed to survive MP3 transcoding — so a leaked file can be traced to the link it came from. Every download is also logged, with the visitor’s IP stored as a salted hash rather than a raw address.
On Google Cloud and Firebase in the EU region (europe-west1). Access is enforced server-side by Firestore security rules and signed-URL issuance, so files are never readable directly from storage.
Yes. Any link can be revoked instantly, which immediately stops new streams and downloads from it. An operational kill-switch can also pause new shares, downloads and signups platform-wide and show a maintenance banner while you investigate.
Trackdeck is invite-only while we build 2.0. Join the waitlist and we’ll reach out as spots open.