Security

CargoPilot is hosted on enterprise-grade cloud infrastructure with the following protections in place:

• All data in transit is encrypted using TLS 1.2 or higher.
• All data at rest is encrypted using AES-256.
• Databases are isolated in private network segments with no direct public internet access.
• Regular automated backups with point-in-time recovery.
• Infrastructure is monitored 24/7 for anomalous activity.

• Passwords are hashed using bcrypt with a high cost factor — we never store plaintext credentials.
• Authentication tokens are short-lived and invalidated on logout.
• Role-based access controls ensure users can only access data within their organisation.
• All API endpoints are authenticated and authorised before processing requests.
• File uploads are scanned and validated for type and content.
• Input sanitisation and parameterised queries are used throughout to prevent SQL injection and XSS.

• Access to production systems is restricted to authorised personnel and governed by the principle of least privilege.
• All team members with access to customer data undergo background checks and receive regular security training.
• We maintain a documented incident response plan with defined escalation paths.
• Security reviews are conducted when introducing new features or infrastructure changes.

We carefully vet any third-party services that process your data. All sub-processors are bound by data processing agreements and are required to maintain appropriate security standards. Our current sub-processors are listed in our Privacy Policy.

In the event of a confirmed security incident affecting your data, we will notify affected customers within 72 hours of becoming aware of the breach in accordance with our obligations under the UK GDPR and notify the Information Commissioner's Office (ICO) where required.

We operate a responsible disclosure policy. If you discover a potential security vulnerability in our platform, please report it to us privately before making it public. We will investigate all reports promptly and keep you informed of our progress.

To report a vulnerability, email service@suply.ai with a detailed description of the issue, steps to reproduce it, and any supporting materials. We aim to acknowledge all reports within 2 business days.

We ask that you do not access, modify, or delete customer data as part of any research, and that you do not perform testing against production systems without prior written authorisation.

We recognise the important role of security researchers in keeping our platform safe. While we do not currently operate a formal paid bug bounty programme, we will acknowledge responsible disclosures and consider recognition on a case-by-case basis.