Security at Techfleet Sync

Your inventory data is the backbone of your operation. We treat its security with the seriousness it deserves. Here's exactly what we do to protect it.

Encryption everywhere

  • All data in transit is encrypted using TLS 1.3. We do not support TLS 1.0 or 1.1.
  • All data at rest is encrypted using AES-256, including database records, file storage, and backups.
  • API keys and passwords are stored as salted bcrypt hashes. We cannot retrieve your password — only reset it.
  • Environment secrets are stored in AWS Secrets Manager with automatic rotation for critical credentials.

Access controls

  • Production system access is restricted to authorized engineers via SSH key authentication with MFA required.
  • All privileged access is logged, audited, and reviewed quarterly.
  • Customer data access by Techfleet employees is role-based and limited to what's necessary for support or debugging.
  • We enforce the principle of least privilege across all internal systems.

Infrastructure security

  • Our infrastructure runs on AWS with services deployed across multiple availability zones for redundancy.
  • We use VPC isolation, security groups, and network ACLs to limit exposure of internal services.
  • Database instances are not publicly accessible — all access is through private networking.
  • Automated vulnerability scanning runs on all deployed container images and infrastructure as code.

Monitoring and response

  • 24/7 infrastructure monitoring with automated alerting for anomalous patterns.
  • Application-level error and security event logging via Sentry and CloudWatch.
  • Rate limiting and bot detection on all public-facing endpoints, including API and live links.
  • In the event of a confirmed breach affecting customer data, we will notify affected customers within 72 hours.

Compliance and certifications

PIPEDA

We comply with Canada's Personal Information Protection and Electronic Documents Act for all Canadian user data.

GDPR

For users in the European Economic Area, we comply with GDPR data subject rights and processing requirements.

SOC 2 (In Progress)

We are currently undergoing SOC 2 Type II certification. Expected completion: Q3 2025.

Responsible Disclosure

We take security vulnerabilities seriously and appreciate the work of security researchers who help keep our platform safe. If you've found a security issue in Techfleet Sync, please disclose it to us privately.

Contact

Email security@techfleet.ca with a detailed description of the vulnerability. Please do not disclose publicly until we've had a chance to investigate and remediate.

What to include

Type and location of the vulnerability, steps to reproduce, potential impact, and any proof-of-concept (code, screenshots, network captures).

Response timeline

We will acknowledge your report within 48 hours. We aim to validate and triage within 7 days, and provide a timeline to remediation within 14 days.

Safe harbor

Security researchers who responsibly disclose valid vulnerabilities will not face legal action from us. We ask that you avoid accessing customer data, performing destructive testing, or disrupting service availability during your research.

Rewards

We do not currently operate a public bug bounty program, but we may offer recognition or rewards for significant findings at our discretion.

Report a vulnerability