Security

How we protect the data your fleet trusts us with. Updated April 30, 2026.

The honest version We're a small, focused team running on managed cloud infrastructure. We don't claim SOC 2, ISO 27001, or HIPAA certification — we don't have any of those audits yet. What we do have is a small attack surface, modern defaults, and an operator (the founder) who personally reviews every line of security-sensitive code. If your compliance team needs a formal audit before adoption, we're happy to walk through our controls — email hello@haulsharp.com.

Data protection at a glance

Encryption in transit

TLS 1.2 or higher on every connection. HSTS enforced on all production domains.

Encryption at rest

AES-256 on database and file storage, managed by Supabase / AWS.

Tenant isolation

Row-level security in Postgres. Every database query is scoped to your tenant_id at the database layer — even with a software bug, one customer can't read another's data.

Audit logs

Financial and identity changes (plan, payment, role grants) write to an append-only audit log keyed by the actor's authenticated user id.

Backups

Daily automated database backups, retained 30 days. Point-in-time recovery for the last 7 days. Tested via spot-restores.

Authentication

Email + password with industry-standard hashing. Optional multi-factor authentication on all accounts. Session tokens rotate on sign-out across tabs.

How tenant isolation works

Every customer's data lives in the same Postgres database, but each row is tagged with a tenant_id. Postgres row-level security (RLS) policies enforce at the database layer that a query authenticated as tenant A literally cannot return rows for tenant B — there is no "trust the application" step where a typo by a developer would leak data. RLS policies are versioned in our migration files and reviewed before merge. We also run cross-tenant isolation tests as part of our pre-launch checklist for every new tenant-scoped table.

Application security

Role-gated APIs. Every backend endpoint checks the caller's role (owner, admin, manager, dispatcher, mechanic, driver) against an explicit allowlist. Drivers can't see payroll. Dispatchers can't change billing.
Server-side authorization. The browser is treated as untrusted. We never rely on UI hiding to enforce permission — every write is re-authorized server-side.
Edge Functions are signed. Stripe webhooks verify HMAC signatures before any side effect. Replay attacks are blocked by event-id idempotency.
Dependencies are pinned. Supply-chain risk is reduced by pinning third-party libraries to specific versions and reviewing updates before they merge.
Secrets stay server-side. Stripe live keys, the Supabase service-role key, and similar credentials are stored as platform secrets. The browser only ever sees the public anon key.

Infrastructure

HaulSharp runs on a small set of well-known providers. We list them all in the Privacy Policy and the DPA:

Supabase (Postgres, auth, storage, Edge Functions) — runs on AWS infrastructure in us-west-2 (Oregon).
Stripe for payment processing. We never see, store, or transmit raw card numbers — Stripe Checkout handles card collection on their domain.
Anthropic for the Roy AI features. Inputs you send Roy are processed under Anthropic's commercial API terms — Anthropic does not retain or train on this data.
SendGrid for transactional email.
Cloudflare / Netlify for web hosting and CDN.

What we don't do (and why that matters)

We don't sell your data. Ever. Not to advertisers, not to data brokers, not to anyone.
We don't train shared AI models on your data. Roy operates only on your tenant's data. Your loads, drivers, and customers don't end up in a training corpus that benefits another carrier.
We don't run third-party ad trackers. The site uses minimal first-party analytics for product improvement only.

Reporting a vulnerability

If you find a security issue — a bug that could expose data, a way to escalate privilege, anything that worries you — please email security@haulsharp.com with details and steps to reproduce. We'll respond within two business days. We don't currently run a paid bug bounty, but we'll publicly credit researchers who report responsibly (with permission).

Please don't run automated vulnerability scanners against production. If you want to test against a sandbox tenant, email us first and we'll set one up.

Compliance posture (where we stand)

HaulSharp does not currently hold SOC 2, ISO 27001, HIPAA, or PCI-DSS certifications. We follow industry-standard practices that map to many of these frameworks' controls, but we have not undergone formal audit. Card data is handled exclusively by Stripe (PCI Level 1 certified), so HaulSharp itself is out of scope for PCI. If your organization requires a certified vendor, we're happy to discuss your timeline and what audits we could pursue to win the business.

Subprocessor changes

We notify customers by email at least 30 days before adding a new subprocessor. Existing subprocessors are listed in the Privacy Policy and the DPA. You can object to a new subprocessor by emailing us; if we can't accommodate the objection, you can terminate without penalty.

Contact

Haul Sharp LLC
Bend, Oregon
General: hello@haulsharp.com
Security: security@haulsharp.com
541-550-1275