Compliance & Security
SOC 2 compliance infrastructure with audit logging, encryption, row-level security, and a compliance dashboard.
Audit Logging
Every write operation across all API endpoints is logged with the following data: user ID, IP address, timestamp, endpoint, HTTP method, and a before/after snapshot of the affected record. Audit logs are immutable and retained for 7 years.
| Field | Description |
|---|---|
| User ID | The authenticated user who performed the action |
| IP Address | Client IP at the time of the request |
| Timestamp | UTC timestamp with millisecond precision |
| Endpoint | The API route that was called |
| Method | HTTP method (POST, PUT, PATCH, DELETE) |
| Before | Snapshot of the record before the change |
| After | Snapshot of the record after the change |
Info
Encryption
All data at rest is encrypted with AES-256-GCM. Sensitive PII fields -- including SSNs, bank account numbers, and tax IDs -- use application-layer encryption on top of database-level encryption. Data in transit is protected with TLS 1.3.
Row-Level Security
Every database table enforces row-level security (RLS) policies. Users can only access records belonging to their organization. RLS is enforced at the database layer, not the application layer, so it cannot be bypassed by application bugs.
Role-Based Access Control
Eight roles and 10 permission types enforce least-privilege access across the platform.
| Role | Access Level |
|---|---|
| Owner | Full access to all modules and settings |
| Admin | All modules except billing and ownership transfer |
| Dispatcher | Dispatch, loads, GPS, and driver communication |
| Accountant | Finance, payroll, invoicing, and tax reports |
| Safety Manager | Compliance, HOS, DVIR, and drug testing |
| Driver | Own HOS, loads, documents, and pay stubs |
| Viewer | Read-only access to dashboards and reports |
| API | Programmatic access scoped to specific endpoints |
Compliance Dashboard
The compliance dashboard provides a security posture score based on your organization's configuration: MFA adoption, role distribution, encryption status, and audit log coverage. Review recent audit events, export logs for external auditors, and track remediation items.
Tip