Security and Data Handling
Effective Date: May 2, 2026
Last Updated: May 2, 2026
FasterQuotes processes RFQ emails on behalf of freight brokers, carriers, and 3PLs. We treat the integrity and confidentiality of that data as a non-negotiable requirement of the Service. This page describes the technical and organizational measures we maintain to protect Customer Data and to detect, contain, and remediate incidents.
1. Encryption
At rest. All Customer Data is encrypted at rest using AES-256-GCM. OAuth refresh tokens for Connected Mailboxes are individually encrypted with a per-row 12-byte AES-GCM nonce; the encryption key material is held in the Railway production environment and is never written to source.
In transit. All client-to-server and inter-service traffic uses TLS 1.2 or higher, with TLS 1.3 preferred where supported.
2. Infrastructure
We host on Supabase (managed Postgres + Auth + Realtime, US region), Railway (backend application), and Vercel (frontend and edge delivery). The full list of Sub-Processors with locations is at /sub-processors.
3. Tenant Isolation
- Postgres Row-Level Security (RLS) policies enforce per-organization isolation on every Customer-data table.
- JWT claims carry an
org_idset on every authenticated request. Backend handlers always include theorg_idfilter when reading or writing Customer rows. - Supabase Realtime subscriptions are filtered by
org_idso events do not leak across tenants. - Service-role queries are audited; service-role access is restricted to specific backend code paths and never exposed to the client.
4. Access Controls
- Service role keys for the backend are held only in the production environment and rotated on a documented runbook.
- Two-factor authentication is enforced on all administrative consoles (Supabase, Railway, Vercel, Google Workspace, Mailgun, GitHub).
- Human access follows the principle of least privilege; access is reviewed periodically and removed at the end of need.
- Single sign-on (SSO) for Customer accounts is on the roadmap; not yet generally available.
5. Secrets Management
Secrets are managed through environment variables in Railway and Vercel; secrets are never committed to source. OAuth refresh tokens are encrypted at the application layer with AES-256-GCM. Rotation procedures for all classes of secret are documented.
6. Vulnerability Management
Dependencies are tracked via npm and pip lockfiles. CVE alerts are monitored, and security patches are applied promptly. Security disclosure email: security@fasterquotes.io.
7. Incident Response
- Structured logging and error aggregation feed 24/7 alerting on anomalies.
- On a confirmed Personal Data Breach affecting Customer Data, FasterQuotes notifies affected Customers without undue delay and in any event within 72 hours of confirmed awareness, consistent with GDPR Article 33 timing.
- Notification will include, to the extent then known: the nature of the breach, the categories and approximate volume of records affected, the likely consequences, and the measures taken or proposed to address it.
8. Backups and Recovery
Supabase managed daily backups run with a 30-day retention window. Recovery procedures are documented and exercised periodically.
9. Data Residency
Customer Data is stored and processed in the United States today. Where Personal Data subject to the GDPR or UK GDPR is transferred to FasterQuotes, the transfer is governed by the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum, as set out in our Data Processing Addendum.
10. Data Retention
Retention timelines for each data category are described in Section 7 of the Privacy Policy.
11. Data Deletion
- Connected Mailbox. A Customer can disconnect any Connected Mailbox from within the application. Disconnection stops new ingestion immediately, and the previously-ingested data is purged within 30 days unless the Customer chooses to retain it for working purposes.
- Per-record deletion. Customers can delete individual extractions and related records via the in-product UI.
- Account deletion. Account deletion is initiated by emailing privacy@fasterquotes.io from the address on the account. Full purge completes within 30 days.
12. Audits and Certifications
SOC 2 Type II audit is underway; a formal report will be issued in a future period. In the interim, a security questionnaire and bridge letter are available on request to security@fasterquotes.io. We do not claim certifications we do not hold.
A CASA Tier 2 assessment is scheduled in connection with Google API restricted-scope verification for gmail.readonly.
13. Logistics-Specific Commitments
The freight industry has well-founded concerns about how RFQ data is handled. The following commitments apply specifically to logistics Customer Data:
- No cross-customer rate aggregation. Rate quotes, lane patterns, MC# / USDOT# to-customer mappings, dispatcher contact information, and similar competitively sensitive details drawn from a Customer's RFQ emails are treated as Confidential Customer Data. We do not aggregate, benchmark, anonymize, or resell such data across customers, including for "market intelligence" or "benchmark" products.
- Public look-ups stay public. Carrier look-ups by MC# or USDOT# are sourced from the public FMCSA Company Census. Customer-private data is never used to enrich or modify these look-ups.
- Driver and CDL data. Driver names, CDL numbers, and similar information appearing in RFQ emails are treated as Confidential Customer Data, are never used for AI training, and are purged on Customer request within 30 days.
14. Reporting a Security Issue
Email security@fasterquotes.io with details. We commit to acknowledging the report within two business days.
Last updated: May 2, 2026