Security & Compliance

Last updated: 10 June 2026

1. Encryption

• In transit: all traffic — web, driver apps and API — is served exclusively over HTTPS (TLS 1.2+) through Cloudflare's global edge network.
• Credentials: passwords are hashed with bcrypt at a strong work factor. We never store, log or transmit plaintext passwords.
• Media links: proof-of-delivery photos are served only through cryptographically signed, time-limited URLs. A leaked link expires on its own; an unsigned request is rejected outright.

2. Tenant isolation

ShiftsPod is multi-tenant: each company's data is segregated by design, at two independent layers.

• Database level: PostgreSQL Row-Level Security policies are enforced for the application's database role. Even if application code had a bug, the database itself refuses to return another company's rows.
• Application level: every query is additionally scoped to the authenticated company, and cross-tenant isolation is covered by automated tests in our CI pipeline.

3. Access control

• Role-based access: three permission tiers — Superadmin (owner), Dispatcher (day-to-day operations) and Viewer (read-only). Enforced server-side on every endpoint.
• Short-lived sessions: access tokens expire after 60 minutes and are renewed via rotating refresh tokens; a stolen token has a short shelf life, and all sessions can be revoked at once.
• Brute-force protection: login and API endpoints are rate-limited; repeated failures are throttled automatically.
• API keys: programmatic access uses scoped API keys that can be revoked instantly, managed only by company owners.

4. GDPR & data retention

• Processor model: you stay the data controller; ShiftsPod processes driver data on your behalf under our Data Processing Agreement.
• Configurable retention: each company sets its own retention windows per data category — GPS history, POD photos, vehicle-check records, notification logs — and a nightly job permanently deletes data past its window, including the underlying photo files. Nothing is auto-deleted unless you explicitly enable it.
• Data minimisation: GPS is collected only during an active shift; the driver app records nothing while off shift.
• Erasure requests: deletion requests (e.g. a departed driver) are honoured — contact [email protected].

5. Backups & continuity

• Nightly automated backups of the database and all media, with rotation.
• Off-site replication: backups are copied to separate infrastructure in a different physical location every night.
• Tested restores: backups are verified for integrity on every run, and we perform restore drills — a backup that hasn't been restored is treated as no backup at all.
• Monitoring: the platform is watched 24/7 by an external uptime monitor from independent infrastructure, plus real-time error tracking. We usually know about a problem before you do.

6. Infrastructure security

• Zero exposed services: application servers accept no inbound connections from the public internet — all traffic arrives through an authenticated Cloudflare Tunnel. There is no web port to scan or attack directly.
• Hardened access: server administration is SSH key-only (password logins disabled), behind a default-deny firewall, with automatic brute-force banning.
• Patching: operating system security updates are applied automatically.
• European hosting: production data is hosted in European data centres and served through Cloudflare's edge; data stays within the UK/EU data-protection regime.

7. Audit & accountability

• Audit log: security-relevant events — logins, force-ends, deletions, configuration changes — are recorded per company with actor, timestamp and context.
• Export: owners can export their full audit trail as CSV for any date range, for internal review or a client audit.
• Retention: audit records are kept on a configurable schedule, separate from operational data.

8. Reporting a vulnerability

If you believe you've found a security issue in ShiftsPod, please email [email protected] with the details. We read every report, respond quickly, and won't take legal action against good-faith research. Please don't access data that isn't yours or disrupt the service while testing.