FreightConnect

Security / Data Handling

Data Handling

How FreightConnect stores, processes, and protects your data.

Data Storage

All data is stored in:

  • Region: US-East-1 (Virginia), US-West-1 (Oregon), US-West-2 (California) — AWS data centers
  • Encryption: AES-256 at rest
  • Replication: replicated across 3 availability zones for redundancy
  • Backups: taken hourly; retained for 30 days

For GDPR compliance, EU customer data can be stored in EU data centers (request from matt@freightconnect.ai).

Data Classification

We classify data by sensitivity:

Public (shipper company names, carrier names):

  • Can be displayed in reporting
  • Exportable to third parties

Private (load details, rates, margins):

  • Only visible to authorized team members
  • Not shared unless explicitly granted
  • Exportable for business purposes only

Confidential (shipper contact info, driver names, bank account numbers):

  • Encrypted
  • Access restricted
  • Never exported unless legally required

Regulated (payment card data, insurance info):

  • Handled per compliance requirements
  • PCI-DSS for card data (Stripe handles this)
  • Never stored in our system (only tokens)

Data Retention

| Data Type | Retention | |---|---| | Loads & shipments | Indefinite (in your account) | | Tracking data | 2 years (then archived) | | Settling records | 7 years (tax requirement) | | Audit logs | 2 years (compliance) | | Payment info | Never (stored with Stripe only) | | Deleted accounts | 90 days (for recovery), then deleted |

You can request deletion anytime (except tax records, which we retain 7 years).

Access Control

Who can see your data:

Within your account:

  • Admins: full access to all data
  • Brokers: loads they created; shared loads only
  • Dispatchers: assigned loads only
  • Viewers: summary reports only

Outside your account:

  • FreightConnect support: only with your permission (for troubleshooting)
  • Carriers: see only their accepted loads (not rates or shipper details)
  • Shippers: see only tracking (via tracking link)

Nobody else: We don't sell data or share with third parties (except as required by law).

API Access

If you've generated API keys for integrations:

  • Keys are encrypted
  • Each key is associated with a user/permission level
  • Keys can be rotated (old key revoked)
  • Unused keys should be deleted

Rotate API keys every 90 days for security.

Data Transfer & Export

You can export your data anytime:

  • CSV — loads, shipments, settlements, carrier performance
  • JSON — via API
  • PDF — invoices, reports

Export includes shipper/carrier details and rates. You're responsible for protecting exported data.

We don't charge for exports (included in all plans).

Third-Party Access

We share data with:

Essential services (you use these):

  • Stripe — payment processing (card data only; we don't see it)
  • Samsara/Motive/Geotab — ELD telematics (location data only if you enable it)
  • SendGrid — email delivery (email addresses only)
  • Accounting software (QuickBooks, Xero, Wave) — load/settlement data (if you enable sync)

All third parties sign Data Processing Agreements (DPAs).

Non-essential services (we don't use):

  • Social media, analytics, ad networks — we don't integrate with these
  • Brokers list your company in our "carrier network" directory (opt-out available)

Data Security Practices

  1. Encryption in transit — TLS 1.2+ (https://)
  2. Encryption at rest — AES-256
  3. Hashing — passwords are bcrypt hashed (not reversible)
  4. Rate limiting — protects against brute-force attacks
  5. SQL injection prevention — parameterized queries, input validation
  6. CSRF protection — tokens on all state-changing requests
  7. Session security — random tokens, secure cookies, 30-minute timeout
  8. Two-factor authentication — optional but recommended for Admins

Breach Notification

If we discover unauthorized access to your data:

  1. Notify you within 24 hours
  2. Provide details (what data, when, extent of access)
  3. Offer identity theft monitoring (if personal data exposed)
  4. File required notifications (law enforcement, regulators if needed)

We maintain cyber insurance to cover costs.

Data Deletion

To delete your data:

  1. Go to SettingsAccountDelete Account
  2. All data is deleted within 24 hours
  3. Backups (which may contain your data) are retained 30 days, then deleted

For GDPR "right to be forgotten," data is deleted within 30 days.

Compliance Certifications

  • GDPR — compliant (EU data protection)
  • CCPA — compliant (California privacy)
  • HIPAA — not applicable (we don't handle health data)
  • PCI-DSS — we don't store payment cards (Stripe does; they're PCI-DSS compliant)

Privacy Policy

Full privacy policy: https://freightconnect.ai/privacy

Key points:

  • We collect email, company name, load data
  • We don't sell data to third parties
  • We use data to improve our service
  • You control what you share

Data Subject Rights

Under GDPR/CCPA, you have the right to:

  • Access — get a copy of your data
  • Correction — fix inaccurate data
  • Deletion — delete your account and data
  • Portability — export data in standard format
  • Object — stop certain uses of your data

Submit requests to: matt@freightconnect.ai

Response time: 30 days.

Next Steps

Last updated: April 2026