— Security & compliance
How we handle your data.
Freight ops live and die on trust. Here is how we earn it — line by line, with no marketing-speak around any of it.
Tenant isolation
Postgres row-level security on every table. Every query is bound to a tenant_id via a session variable set at request start. No code path can read across tenants, period.
PII at rest
AES-256 encryption on driver phones, MC numbers, EINs, and banking. We re-encrypt with rotated keys quarterly.
PII in transit
TLS 1.3 only. HSTS preload. No HTTP fallback.
Audit log
Append-only per load. Includes every prompt, tool call, tool result, and decision. SELECT and INSERT permissions only — no DELETE or UPDATE policy exists.
TCPA compliance
Every outbound call passes a gate: consent record, DNC list, time-of-day window (8am–9pm local), 2-party-consent state detection, and AI disclosure injection. The gate is the only path to the dialer. The bypass token is restricted to ENVIRONMENT=test.
Card data
We do not store card data. Stripe owns it. Our database has Stripe customer IDs and nothing more.
Subprocessors
Anthropic (Claude API), Supabase (Postgres + Storage), Railway (compute), Twilio (voice), Deepgram (STT), ElevenLabs (TTS), Stripe (billing). DPAs on file for each.
SOC 2
Type I in flight for Q4 2026. Type II in 2027. Available under NDA today: our security control matrix and SOC-2-readiness gap analysis.
Questions a checklist cannot answer?
Write security@indolent.design. We reply with the actual answer, not a sales call.