How we protect your fleet's data.
Routeon is built for operators who can't afford downtime or data loss. This page describes the controls, processes, and third parties we use to keep your workspace safe.
- Uptime (90d)
- 99.98%
- At rest
- AES-256
- In transit
- TLS 1.3
- Security monitoring
- 24/7
SOC 2 Type II in progress · PCI-DSS via Stripe · GDPR & CCPA aligned
Controls you can verify
Encryption, access, and audit — not marketing claims.
- EncryptionAt rest & in transit
- SSO + MFAOkta, Google, SAML
- Audit logsEvery change tracked
- Daily backups30-day point-in-time
SOC 2 Type II readiness
Routeon is actively working toward a SOC 2 Type II report covering Security, Availability, and Confidentiality. We have implemented the underlying technical controls (encryption, access control, logging, change management) and are partnering with a CPA firm on the formal observation window. Until the report is issued, we don't claim SOC 2 certification — but we'll share our security questionnaire, control matrix, and architecture overview on request.
Controls in place today
Every customer workspace gets these out of the box — there is no "premium" security tier.
All traffic served over TLS 1.2+. Customer data stored in a managed Postgres database with disk-level encryption at rest.
Email + password with Have I Been Pwned screening, plus Google SSO. Sessions use short-lived JWTs with rotating refresh tokens.
Every customer table is protected by Postgres row-level security scoped to the workspace. Cross-tenant reads are denied at the database layer, not just the app.
Owner, Admin, Dispatcher, Accountant, Staff, and Driver roles enforced in both the UI and RLS. Drivers can only see their own assigned trips.
Daily automated backups of the production database with point-in-time recovery handled by our infrastructure provider.
Application runs on edge-grade serverless infrastructure with global DDoS protection in front of every request.
Sensitive events (contract sends, signatures, payments, platform-admin actions) are recorded in append-only audit logs visible to workspace owners.
Defined runbook for triage, customer notification, and post-mortem. Material incidents are disclosed to affected workspaces within 72 hours.
Subprocessors
Routeon uses the following third parties to deliver the service. We will notify customers in-app before adding a new subprocessor that handles customer data.
| Provider | Purpose | Region |
|---|---|---|
| Lovable Cloud (managed Postgres + Auth) | Application database, authentication, file storage | US |
| Cloudflare | Edge runtime, CDN, DDoS protection | Global |
| Stripe | Payment processing | US / EU |
| Google Maps Platform | Geocoding, routing, distance calculation | Global |
| Samsara | Optional fleet telematics & HOS data (only when connected) | US |
| Firebase Cloud Messaging | Driver mobile push notifications | Global |
| Lovable transactional email | Auth and reservation emails | US / EU |
Data retention
Operational records (reservations, trips, invoices, driver logs) are retained for up to 7 years after a workspace is closed, to support DOT, financial, and audit recordkeeping requirements common to ground transportation. Customers can request earlier deletion of non-regulated personal data.
Privacy requests
Workspace owners can export and delete data directly from Settings. End-user access, correction, or deletion requests (GDPR / CCPA / Quebec Law 25) can be sent to the contact below and are processed within 30 days.
Report a vulnerability or security concern
We take security reports seriously and aim to respond within one business day. Please include reproduction steps and any relevant logs.
security@routeon.app