How we handle your data.
Freight ops live and die on trust. Here's how we earn it.
Tenant isolation
Postgres row-level security on every table. Every query is bound to a tenant_id via a session variable set at request start. No code path can read across tenants, period.
PII at rest
AES-256 encryption on driver phones, MC numbers, EINs, and banking. We re-encrypt with rotated keys quarterly.
PII in transit
TLS 1.3 only. HSTS preload. No HTTP fallback.
Audit log
Append-only per load. Includes every prompt, tool call, tool result, and decision. SELECT and INSERT permissions only — no DELETE or UPDATE policy exists.
TCPA compliance
Every outbound call passes a gate (consent / DNC / time-of-day / 2-party-consent state / AI disclosure). The gate is the only path to the dialer. The bypass token is gated behind ENVIRONMENT=test.
Card data
We don't store card data. Stripe owns it. Our DB has Stripe customer IDs and nothing more.
Subprocessors
Anthropic (Claude API), Supabase (Postgres + Storage), Railway (compute), Twilio (voice), Deepgram (STT), ElevenLabs (TTS), Stripe (billing). DPAs on file for each.
SOC 2
Type I in flight for Q4 2026. Type II in 2027. Available under NDA today: our security control matrix and SOC-2-readiness gap analysis.
Questions a checklist can't answer? Write security@indolenttrucking.com.