Honest posture.

• Identity + access

  • →bcrypt cost 12 password hashing.
  • →Auth.js v5 with JWT sessions; tokens re-checked against DB on every authed request — stale or stolen JWTs cannot elevate privileges.
  • →DirtFleet staff TOTP gate on /admin (mandatory, freshness-checked).
  • →Per-org RBAC + per-user capability overrides. Org-wide today; per-yard scoping is opt-in.
  • →Customer impersonation by staff is read-only (mutations blocked) + audit-logged.

• Data isolation

  • →Every table carries organizationId. Every query is scoped at the DB layer — cross-tenant access fails on FK + unique constraints, not just convention.
  • →Cross-tenant access by DirtFleet staff goes through requireDirtfleetAdmin and writes an AdminAuditLog row.
  • →Tenant-side mutations write an org-scoped AuditLog row (lib/audit.ts) — visible to org admins at /settings/audit.

• Encryption

  • →TLS 1.2+ on every public endpoint. HSTS preload eligible.
  • →Postgres at-rest encryption is the responsibility of the managed-Postgres host (Supabase, RDS, Hetzner Managed). Our deploy doc requires it.
  • →OEM credentials stored AES-GCM encrypted (lib/oem/crypto). Never plaintext on disk.
  • →API keys + device tokens stored as SHA-256 hashes only. Plaintext shown ONCE on creation.
  • →Web push uses VAPID; payload encryption per RFC 8291.

• Logging + audit

  • →Structured logs (lib/log) with optional Sentry forwarder.
  • →AdminAuditLog: every cross-tenant read or privileged event by DirtFleet staff.
  • →AuditLog (org-side): mutating events on assets, work orders, incidents — required for SOC 2 Type II.
  • →ConsentRecord: append-only ledger of TERMS / PRIVACY / LOCATION_TRACKING / MARKETING_EMAIL / COOKIE_ANALYTICS grants + revokes.

• Backups + recovery

  • →Continuous WAL streaming + daily snapshots + 30-day PITR window via the managed-Postgres host.
  • →Weekly snapshots retained 90 days; monthly retained 365.
  • →Quarterly DR drill. Full runbook at docs/BACKUP_DR.md.
  • →Object storage (S3/R2) versioned + cross-region replicated when configured.

• Operational

  • →Single Postgres + single Vercel region today; multi-region on the roadmap when a customer requires it for residency.
  • →Status page at /status with live probes for web, DB, webhooks, email, photo storage.
  • →Public platform-incident timeline at /status (90-day window) — we publish in-band.
  • →Resend bounce + complaint webhook auto-suppresses bad addresses.

• Privacy + compliance

  • →GDPR + CCPA tooling: full org export at /api/export/org-archive; per-user delete via lib/user-delete.
  • →Consent ledger (lib/consent) with versioning so an updated terms doc auto-invalidates stale consents.
  • →OSHA Form 300-aligned incident export at /api/export/osha300.
  • →Davis-Bacon / WH-347 weekly worker rollup at /api/export/certified-payroll.

We're targeting SOC 2 Type I for late 2026, Type II in 2027 once the 12-month observation window completes. Until then, our posture is documented above and the audit trail (AdminAuditLog + AuditLog + ConsentRecord) is built specifically to support the eventual auditor's requirements.

• VercelWeb hosting + edge network
• Supabase / Hetzner / RDSManaged Postgres (per deployment)
• Cloudflare R2 / AWS S3Photo + document storage (when configured)
• StripePayment processing
• ResendTransactional email
• TwilioSMS notifications (when configured)
• Google (Gemini API)AI insights, OCR, DTC narrative
• WorkOSSAML SSO + SCIM Directory Sync (when configured)
• SentryError + performance monitoring (when configured)

Email security@dirtfleet.app with reproduction steps. We acknowledge within one business day, triage within three, and disclose timing publicly once a fix is shipped. We do not (yet) run a paid bug-bounty program; for now, public credit + a thank-you on the changelog is what we can offer.