Trust & Security

Security at Haulia

Freight data is the backbone of your business — your rates, your customers, your margin. Here's how we protect it. Our security program is built on the principle that your data is not ours to use, sell, or train on.

Last updated: April 18, 2026

Compliance & certifications

  • SOC 2 Type II — audit in progress (2026)
  • GDPR — data subject rights, SCCs for EU transfers
  • CCPA / CPRA — California consumer rights honored
  • HIPAA — not in scope; do not upload PHI

Encryption

  • In transit: TLS 1.2+ on every endpoint, HSTS enforced
  • At rest: AES-256 on all storage, managed keys via cloud KMS
  • Secrets: isolated secret manager, rotated on schedule
  • Backups: encrypted, cross-region, 30-day retention

Infrastructure

  • Hosted on AWS in US-East-1 and EU-West-1
  • Private VPCs with no public-facing databases
  • Single-tenant data boundaries per customer org
  • Edge WAF + DDoS protection in front of all traffic

Access control

  • SSO (SAML/OIDC) on Business and Enterprise plans
  • Role-based access control (RBAC) down to agent scope
  • Mandatory MFA for all Haulia employees
  • Least-privilege IAM, reviewed quarterly

Monitoring & logging

  • Centralized SIEM across application, infra, and audit logs
  • Tamper-evident audit trails for every agent action
  • 24/7 on-call rotation with paging runbooks
  • Anomaly detection on auth, API usage, and data egress

Incident response

  • Documented IR plan, tested twice per year
  • Customer notification within 72 hours of confirmed breach
  • Post-incident review published to affected customers
  • Disclosed SLAs for Business and Enterprise tiers

Data handling

  • Customer data is never used to train foundation models
  • Per-tenant isolation at the application and database layer
  • Configurable retention windows by data class
  • On-request export (JSON / CSV) and deletion within 30 days

Vendor & sub-processor management

  • All sub-processors reviewed for SOC 2 or ISO 27001
  • Current list published in our DPA, Annex 3
  • 30-day notice of sub-processor additions
  • DPAs in place with every sub-processor

Vulnerability management

  • Annual third-party penetration tests
  • Continuous automated scanning (SAST, DAST, SCA)
  • Responsible disclosure program at security@haulia.ai
  • Critical CVEs patched within 7 days, high within 30

Our commitments to you

  • Your data is yours. Rates, contacts, and lane history are never used to train models, shared with other customers, or sold to third parties.
  • Right to delete. Request full deletion at any time; we complete it within 30 days across primary and backup systems.
  • Transparent sub-processors. Our full list lives in the DPA. You get 30 days' notice before we add a new one.
  • Auditable AI. Every agent action is logged, cited, and reversible. You can see why Haulia did what it did.

Report a vulnerability

We welcome responsible disclosure from the security community. Email security@haulia.ai with details and we will acknowledge within one business day. We do not pursue legal action against good-faith researchers who follow our disclosure guidelines.

For compliance documentation (SOC 2 reports, pen test letters, DPAs), contact trust@haulia.ai.