FreightConnect

Security / Soc2

SOC 2 Compliance

FreightConnect is pursuing SOC 2 Type 2 certification to demonstrate our commitment to security and reliability.

Current Status

Target: SOC 2 Type 2 certification by Q3 2026

Current progress:

  • Security infrastructure: Complete
  • Access controls: Complete
  • Data encryption: Complete
  • Audit trails: Complete
  • Third-party audit: Scheduled for Q2 2026

We're transparent about our timeline. This page will be updated when certification is achieved.

What is SOC 2?

SOC 2 (Service Organization Control) is a framework developed by the AICPA (American Institute of CPAs) for evaluating how service providers manage customer data and systems.

SOC 2 Type 1 — validates controls are designed correctly (point-in-time assessment)

SOC 2 Type 2 — validates controls work effectively over time (6-12 month audit period) — more rigorous

Enterprise customers typically require SOC 2 Type 2 before signing contracts.

What We're Auditing

The audit covers five "trust service criteria":

  1. Security — unauthorized access prevented; data protected
  2. Availability — systems are available when needed (99.9% uptime)
  3. Processing Integrity — transactions are complete, accurate, timely
  4. Confidentiality — sensitive data (shipper info, rates) is protected
  5. Privacy — personal data (driver names, SSNs) is used per regulations

In the Meantime

Before certification, we maintain:

  • Encryption — TLS in transit, AES-256 at rest
  • Access controls — role-based permissions; multi-factor authentication
  • Audit logs — all system access is logged
  • Incident response — documented procedures for security breaches
  • Privacy policy — transparent about data handling
  • DPA — Data Processing Agreement for GDPR compliance

These controls are independent of SOC 2 and are in place now.

Request for Audit Access

If you're an Enterprise customer who needs to verify our controls:

  1. Request a pre-audit report or attestation letter from matt@freightconnect.ai
  2. We can grant read-only access to your auditors for review
  3. We'll sign your Data Processing Agreement (DPA) if needed

This helps you meet your own compliance requirements while we're pursuing formal certification.

After Certification

Once we achieve SOC 2 Type 2:

  • You'll receive a SOC 2 Report (attestation document)
  • You can use this to demonstrate to your customers that your data is secure
  • We'll publish a summary on our security page

Standards & Frameworks

Beyond SOC 2, FreightConnect adheres to:

  • ISO/IEC 27001 — information security management (in progress)
  • GDPR — European data protection regulation (compliant)
  • CCPA — California consumer privacy (compliant)
  • HIPAA — health data (not applicable; we don't handle health data)

Security Team

Our security team includes:

  • Chief Information Security Officer (CISO)
  • Security engineers (2)
  • Compliance officer
  • Third-party penetration testers (annual)

Penetration Testing

We conduct:

  • Annual external penetration tests — third-party security firm tests our systems
  • Quarterly internal testing — our team runs controlled tests
  • Bug bounty program — paying security researchers for responsible disclosures (coming Q2 2026)

Incident Response

If a security incident occurs:

  1. We immediately isolate affected systems
  2. Investigate the scope (what data was accessed?)
  3. Notify affected users within 24 hours
  4. File required notifications (law enforcement, regulators if needed)
  5. Post-incident review and process improvements

Data Residency

All FreightConnect data is stored in:

  • US data centers — Amazon AWS (Virginia, Oregon, California regions)
  • No international transfers — shipper/carrier data never leaves the US (unless customer is outside US; then GDPR DPA applies)

If you need data in a specific region (EU, Canada), contact matt@freightconnect.ai.

Vendor Security

We work with vetted vendors:

  • AWS — SOC 2 Type 2 certified
  • Stripe — SOC 2 Type 2 certified
  • SendGrid (email) — SOC 2 Type 2 certified
  • Samsara/Motive/Geotab (ELDs) — security certifications verified

All vendors sign Business Associate Agreements (BAAs) or Data Processing Agreements.

Next Steps

Last updated: April 2026