Our security pillars
Tenant Isolation
Every tenant's data is segregated at the database query level. Cross-tenant access is prevented by enforced tenant-scoped queries on every request.
Encryption
All traffic is encrypted in transit using TLS 1.2+. Passwords are hashed with bcrypt; database backups are encrypted at rest.
Infrastructure
Application hosting on Render and database hosting on MongoDB Atlas, both with EU regions available. Daily snapshot backups with point-in-time recovery on supported tiers.
Auditability
Sensitive actions (logins, role changes, deletions, data exports) are recorded in an audit log scoped per tenant.
Access control
- Role-based access (Super Admin, Master Admin, Admin, Manager, Staff/Driver).
- Force-password-change on first login for staff onboarded via bulk import.
- JWT-based sessions with configurable expiry and rotation.
- Production access for engineers is least-privilege and reviewed periodically.
Data protection
- GDPR-aligned roles: Controller (you) / Processor (us) — see the DPA.
- Customer-initiated data export and account deletion endpoints.
- Sub-processors disclosed in the DPA. Notice provided before changes.
- EU hosting available on request for customers with data residency requirements.
Application security
- OWASP-aligned development practices.
- Server-side input validation; tenant-scoped query enforcement.
- Rate limiting and brute-force protection on authentication endpoints.
- Dependency monitoring and timely patching.
Incident response
We aim to detect, contain, and notify customers of any confirmed personal data breach without undue delay (and in any case within 72 hours where required by GDPR). Notifications include the nature of the breach, the categories of data affected, and the remedial steps taken.
Compliance posture
- GDPR (EU/UK): Privacy Policy, DPA, and data subject rights workflows in place.
- Irish company law: Operated by QuickFleet Limited under Irish law.