Security Practices

• In transit: All data transmitted between your browser and Fleiko is encrypted using TLS 1.2 or higher. HTTPS is enforced on all routes — there is no plain HTTP access.
• At rest: Data stored in Supabase (database and file storage) is encrypted at rest using AES-256, managed by AWS.
• Passwords: User passwords are never stored by Fleiko. Authentication is handled entirely by Supabase Auth, which uses bcrypt hashing. Fleiko staff cannot retrieve or view any user's password.

• Tenant isolation: Every API request is authenticated and scoped to the requesting company. It is architecturally impossible for one company's data to appear in another company's portal view.
• Role-based access: Portal users are assigned roles (owner, manager, driver). Drivers have restricted access — they cannot view company financials, reports, or other companies' records. Report access requires manager-level or higher.
• Admin access: Fleiko's internal admin panel is protected by a separate authentication system. Only authorized Fleiko staff can access it. Admin access to client data is restricted to what is necessary for support purposes and is logged.
• Session security: Sessions are managed by Supabase Auth with secure, httpOnly cookies. Sessions expire automatically after inactivity.

• Automated backups: Supabase performs daily automated backups of the database with point-in-time recovery. Backups are retained for 7 days on the base plan.
• Audit logging: Key operations (document uploads, status changes, user invites) are logged with timestamps and user identifiers.
• Data export: You can export your operational data at any time through the portal or by contacting support. On account cancellation, you have a 30-day window to export all data before it is deleted.

Fleiko uses the following sub-processors. Each is contractually bound to protect your data:

• Breach notification: If Fleiko discovers a security incident that affects your data, we will notify you within 72 hours of becoming aware of it, consistent with GDPR Article 33 and US state breach notification laws.
• Input validation: All API endpoints validate and sanitize inputs. Database queries use parameterized statements — SQL injection is not possible through the application layer.
• Dependency management: Third-party packages are kept up to date and reviewed for known vulnerabilities.
• Reporting a vulnerability: If you discover a security issue, please report it responsibly to legal@fleiko.com. Do not publish vulnerability details publicly before giving us reasonable time to respond.

• We do not sell, rent, or share your data with third parties for marketing or advertising purposes.
• We do not collect real-time vehicle location or GPS data.
• We do not integrate with ELDs or ingest hours-of-service records.
• We do not have access to your drivers' devices.
• We do not retain your data after the 30-day post-cancellation export window.

Security is a shared responsibility. To keep your account secure:

• Use a strong, unique password for your Fleiko account.
• Do not share login credentials between team members — invite each user individually so access can be revoked independently.
• Remove access promptly when an employee leaves your organization.
• Contact us immediately at legal@fleiko.com if you suspect unauthorized access to your account.